Security Experts:

Kmart Says Hackers Breached Payment System

Kmart Data Breach

[DEVELOPING STORY] - Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks that have resulted in the exposure of customer data and payment card information.

The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, sparking them to quickly initiate an investigation.

The company believes debit and credit card numbers have been compromised.

A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

“Our investigation to date indicates the breach started in early September,” the company said in a statement (PDF). “According to the security experts we’ve been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. We were able to quickly remove the malware. However we believe debit and credit card numbers have been compromised."

The company declined to comment on what security firm was conducting the investigation. customers do not appear to be impacted, Kmart said.

The retailer said that it was working closely with federal law enforcement authorities, ibanking partners and other IT security firms as part of the ongoing investigation.

Kmart, a wholly owned subsidiary of Sears Holdings Corporation, operated 1,152 locations as of Feb. 1 2014.

News of the Kmat data breach comes just one day after Dairy Queen confirmed that its payment systems were breached and infected with malware.

"Attackers have access to a range of custom POS malware these days designed to specifically steal card and magnetic track data from POS memory, which bypasses traditional data-at-rest encryption and perimeter controls," Mark Bower, VP of product marketing at Voltage Security, told SecurityWeek on Friday. "Malware into the POS might come from direct network intrusion, or by subverting the POS software update and patch management system with an infected update. Once in, attackers can syphon off every transaction that customers swipe until its detected and removed."

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.