Kmart becomes the latest retail data breach victim

Kmart has been confirmed as the latest retail chain to be breached after its parent company Sears Holdings Corp admitted that some customers’ debit and credit card numbers had been compromised.

Kmart. Image courtesy of Sergey Yechikov/Shutterstock

In a form submitted to the Securities and Exchange Commission (SEC), Sears says its IT team discovered the breach on 9 October and that further investigations suggest the incursion may have begun at the start of September.

Ongoing forensic examination suggests that no personal information, debit card PINs, social security numbers or email addresses have been snaffled by those behind the attack.

A statement released by Sears said sorry to its customers:

We sincerely apologize for any inconvenience this may cause our members and customers. We want our members and customers to be aware of the situation and we suggest that customers carefully review and monitor their debit and credit card account statements.

The press release, which neither reveals how many payment cards have been compromised nor the nature of the malware used, says there is no evidence that online customers of kmart.com have been affected.

The company says that Kmart’s IT team launched an investigation immediately, alongside an external security firm, and that it continues to work in conjunction with law enforcement and banking partners. Sears also revealed that it is deploying additional software to help safeguard its customers’ data.

The firm has offered free credit monitoring to customers who shopped at Kmart with a debit or credit card during September and up until 9 October but also advises them to monitor their statements for unusual activity.

Kmart, which has a network of 1221 stores across the United States, is only the latest US retailer to suffer a data breach.

In December 2013 Target became the temporary record holder for the largest ever retail breach as attackers used point-of-sale malware to sneak off with 40 million payment card records. The company also reported a second part of the breach which saw the loss of 70 million ‘guest’ records which contained personal information.

Other notable retail incursions over the previous twelve months include one at luxury US retailer Neiman Marcus which saw an undisclosed number of payment cards compromised.

In January, North American craft store Michaels experienced its second breach in 3 years, later reporting that over 2.5 million payment cards were likely to have been affected.

More recently, the restaurant chain P.F. Chang’s revealed in June that is was investigating a potential breach of credit and debit card data. The company later confirmed that payment cards used in 33 of its restaurants were potentially at risk.

In August, point-of-sale malware was used once again, this time to breach Supervalu. While the company hasn’t confirmed how many payment cards were compromised, it did reveal that its investigation was looking into 200 of its stores.

Last month a breach at Home Depot led to the compromise of 56 million unique payment cards after its point-of-sale systems were targeted with custom malware. The scale of this attack makes it the biggest in retail history, surpassing even Target.

More proof, if any was needed, that data breaches are a huge concern to the retail industry came just a few days ago when Dairy Queen became the latest victim, confirming it has found malware known as Backoff on its PoS systems.

With data breaches costing not only billions of dollars, but claiming executives’ jobs as well, now is as good a time as any for firms within every sector to reassess their security implementation. (We have 6 tips for both businesses and consumers here.)

Companies may also be well advised to revisit their incident response plan, or to create one quickly if they don’t have one in place already.


Image of Kmart courtesy of Sergey Yechikov/Shutterstock.