Weissblick - Fotolia
Some Kmart stores have been targeted by hackers, leading to unauthorised activity on some of its customers’ credit cards, according to the US retailer’s parent company Sears.
The company did not say how many stores or customers were affected, but said it immediately launched a thorough investigation and engaged leading third-party forensic experts to review its systems and secure the affected part of the network.
Sears said Kmart store payment data systems were infected with a form of malicious code that was “undetectable” by current antivirus systems and application controls.
“Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores,” the company said.
This latest breach is reportedly the second in three years at Kmart, but Sears said there is no evidence linking this incident to a previous security event.
Based on the forensic investigation, Sears said no personal identifying information such as names, addresses, social security numbers, birth dates or email addresses was obtained by the attackers.
The company said certain credit card numbers are thought to have been compromised but, due to the fact that all Kmart stores are EMV chip and pin technology enabled, the exposure to cardholder data that can be used to create counterfeit cards is limited.
“There is no evidence that Kmart.com or Sears customers were affected, nor that debit PINs were compromised,” Sears said.
According to Sears, Kmart is working closely with federal law enforcement authorities, banking partners and IT security firms in an investigation into the incident.
Read more about cyber security in the retail sector
- UK retail body BRC publishes the first of its kind step-by-step guide on how to manage cyber security threats.
- A breach settlement with 47 US states has taken the cost of the 2013 data breach at retailer Target to more than $220m.
- Retailers urged to improve the security of their online stores amid a series of discoveries of cyber criminal campaigns to exploit vulnerabilities in retail websites.
The company also said it was “actively enhancing” its cyber defences in light of the new form of malware, but said it was policy not to discuss the specific details of its security measures.
“It’s clear that these attacks are only accelerating as attackers continue to refine their techniques and modify malware. For retailers, this latest attack represents a major wake-up call indicating that conducting thorough assessments of critical vulnerabilities and areas of risk around PoS systems is now a non-negotiable requirement,” he said.
Fantuzzi said because a company’s risk posture is only as good as the most vulnerable system, investing thorough assessments that provide more visibility into the greatest areas of risk in an IT environment will serve to significantly mitigate or altogether prevent more risk in future.
“While it might require a few more dollars in the short term, retailers that put more effort into understanding their risk environment before they’re attacked will likely prevent a disastrous breach fallout that includes compliance penalties, legal fees and settlements, as well as loss of brand and valuable customer trust down the road,” he said.