Weissblick - Fotolia

Kmart cyber attack highlights PoS vulnerabilities

The cyber attack on Kmart should be a major wake up call for retailers to review the security of their point-of-sale systems, say security experts

Some Kmart stores have been targeted by hackers, leading to unauthorised activity on some of its customers’ credit cards, according to the US retailer’s parent company Sears.

The company did not say how many stores or customers were affected, but said it immediately launched a thorough investigation and engaged leading third-party forensic experts to review its systems and secure the affected part of the network.

Sears said Kmart store payment data systems were infected with a form of malicious code that was “undetectable” by current antivirus systems and application controls.

“Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores,” the company said.

This latest breach is reportedly the second in three years at Kmart, but Sears said there is no evidence linking this incident to a previous security event.

Based on the forensic investigation, Sears said no personal identifying information such as names, addresses, social security numbers, birth dates or email addresses was obtained by the attackers.

The company said certain credit card numbers are thought to have been compromised but, due to the fact that all Kmart stores are EMV chip and PIN technology enabled, the exposure to cardholder data that can be used to create counterfeit cards is limited.

“There is no evidence that Kmart.com or Sears customers were affected, nor that debit PINs were compromised,” Sears said.

According to Sears, Kmart is working closely with federal law enforcement authorities, banking partners and IT security firms in an investigation into the incident.

Read more about cyber security in the retail sector

The company also said it was “actively enhancing” its cyber defences in light of the new form of malware, but said it was policy not to discuss the specific details of its security measures.

Vulnerable third party point-of-sale (PoS) systems represent low hanging fruit for cyber attackers, said Joe Fantuzzi, CEO of risk management firm RiskVision.

“It’s clear that these attacks are only accelerating as attackers continue to refine their techniques and modify malware. For retailers, this latest attack represents a major wake-up call indicating that conducting thorough assessments of critical vulnerabilities and areas of risk around PoS systems is now a non-negotiable requirement,” he said.

Fantuzzi said because a company’s risk posture is only as good as the most vulnerable system, investing thorough assessments that provide more visibility into the greatest areas of risk in an IT environment will serve to significantly mitigate or altogether prevent more risk in future.

“While it might require a few more dollars in the short term, retailers that put more effort into understanding their risk environment before they’re attacked will likely prevent a disastrous breach fallout that includes compliance penalties, legal fees and settlements, as well as loss of brand and valuable customer trust down the road,” he said.

Read more on Hackers and cybercrime prevention