[DEVELOPING STORY] – Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks that have resulted in the exposure of customer data and payment card information.
The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, sparking them to quickly initiate an investigation.
The company believes debit and credit card numbers have been compromised.
A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.
“Our investigation to date indicates the breach started in early September,” the company said in a statement (PDF). “According to the security experts we’ve been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. We were able to quickly remove the malware. However we believe debit and credit card numbers have been compromised.”
The company declined to comment on what security firm was conducting the investigation.
Kmart.com customers do not appear to be impacted, Kmart said.
The retailer said that it was working closely with federal law enforcement authorities, ibanking partners and other IT security firms as part of the ongoing investigation.
Kmart, a wholly owned subsidiary of Sears Holdings Corporation, operated 1,152 locations as of Feb. 1 2014.
News of the Kmat data breach comes just one day after Dairy Queen confirmed that its payment systems were breached and infected with malware.
“Attackers have access to a range of custom POS malware these days designed to specifically steal card and magnetic track data from POS memory, which bypasses traditional data-at-rest encryption and perimeter controls,” Mark Bower, VP of product marketing at Voltage Security, told SecurityWeek on Friday. “Malware into the POS might come from direct network intrusion, or by subverting the POS software update and patch management system with an infected update. Once in, attackers can syphon off every transaction that customers swipe until its detected and removed.”

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Ferrari Says Ransomware Attack Exposed Customer Data
- Webinar Today: How to Build Resilience Against Emerging Cyber Threats
- Make Your Picks: Cyber Madness Bracket Challenge Starts Today
- Cyber Madness Bracket Challenge – Register to Play
- Watch Sessions: Ransomware Resilience & Recovery Summit
- Webinar Today: Entering the Cloud Native Security Era
Latest News
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
- CISA, NSA Issue Guidance for IAM Administrators
- Analysis: SEC Cybersecurity Proposals and Biden’s National Cybersecurity Strategy
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
