[DEVELOPING STORY] – Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks that have resulted in the exposure of customer data and payment card information.
The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, sparking them to quickly initiate an investigation.
The company believes debit and credit card numbers have been compromised.
A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.
“Our investigation to date indicates the breach started in early September,” the company said in a statement (PDF). “According to the security experts we’ve been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. We were able to quickly remove the malware. However we believe debit and credit card numbers have been compromised.”
The company declined to comment on what security firm was conducting the investigation.
Kmart.com customers do not appear to be impacted, Kmart said.
The retailer said that it was working closely with federal law enforcement authorities, ibanking partners and other IT security firms as part of the ongoing investigation.
Kmart, a wholly owned subsidiary of Sears Holdings Corporation, operated 1,152 locations as of Feb. 1 2014.
News of the Kmat data breach comes just one day after Dairy Queen confirmed that its payment systems were breached and infected with malware.
“Attackers have access to a range of custom POS malware these days designed to specifically steal card and magnetic track data from POS memory, which bypasses traditional data-at-rest encryption and perimeter controls,” Mark Bower, VP of product marketing at Voltage Security, told SecurityWeek on Friday. “Malware into the POS might come from direct network intrusion, or by subverting the POS software update and patch management system with an infected update. Once in, attackers can syphon off every transaction that customers swipe until its detected and removed.”