Kmart Discloses Widespread Credit-Card Theft

News
By Paul Wagenseil
published

The retailer said data-stealing malware was found in its payment systems, but did not reveal the number of stores or customers affected.

Large companies, like politicians, know that the best time to release bad news is on a Friday afternoon, especially before a holiday weekend. A newly disclosed data breach at Kmart fits the pattern.

"On Thursday, Oct. 9, 2014, our IT team detected that our Kmart store-payment data system had been breached and immediately launched a full investigation working with a leading IT security firm," a statement attributed to Kmart President Alisdair James and posted on the Kmart website late today (Oct. 10) read.

"The security experts report that beginning in early September, the payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus)," the statement continued. "This resulted in debit and credit card numbers being compromised."

MORE: How to Protect Yourself from Data Breaches

Kmart did not enumerate how many Kmart customers might be impacted or how many Kmart stores may have been compromised. But the statement did say that "no personal information, no debit-card PIN numbers, no email addresses and no Social Security numbers were obtained by those criminally responsible," and that Kmart.com had not been affected.

A spokesman for Sears, which owns Kmart, told independent security reporter Brian Krebs that "our systems were infected with a form of malware that was currently undetectable by anti-malware systems."

The malware has not been named, but it's possible it was the Backoff point-of-sale data-stealer, which has been blamed for both the theft of 56 million payment cards from Home Depot disclosed last month, and the breach of Dairy Queen's payment systems disclosed yesterday.

Backoff infects the point-of-sale card readers in retail stores, capturing card data in the split second before it's encrypted by the reader. Neither Home Depot's nor Dairy Queen's security software detected it. (A different point-of-sale card stealer infected Target Stores last year.)

Kmart reassured its customers that they would bear no liability for fraudulent charges if the charges were duly reported to card issuers, and offered "free credit monitoring protection" to anyone who used a payment card at a Kmart retail store from Sept. 1 until yesterday.

Concerned customers can also call Kmart at 888-488-5978.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.