Kmart Data Breach: Company Confirms Customer Credit Card Information Stolen

NEW YORK, NY — Sears Holdings, the parent company of Kmart, confirmed Wednesday that the popular retailer experienced a recent data breach, exposing customer credit card data to criminal hackers. While the company did not say which Kmart locations were affected by the breach, it said that online purchases at kmart.com were not targeted in the hack.

"Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls," Howard Riefs, a spokesman for Sears Holding, said in a statement. "Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores."

(For more national stories, subscribe to the Across America Patch to receive daily newsletters and breaking news alerts.)

The statement continued: "Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers, and email addresses) was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited."

Krebs on Security, a cybersecurity blog, first reported the incident. The blog notes that credit and debit cards that use chips instead of magnetic strips for purchases are generally more secure against data theft.

The statement says that Kmart is working closely with federal investigators and private security firms in response to the attack.

"We are actively enhancing our defenses in light of this new form of malware," it said. "Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats."

"Retail stores and point of sale systems are obviously prime targets for hackers because stolen credit card data can be used or sold quickly," said iBoss Cybersecurity CEO Paul Martini in response to the attack. "Retail companies also have extremely complicated networks with stores often distributed around the country. That combination creates an environment where legacy cybersecurity platforms cannot keep up with attacks."

He continued: "In this case, Kmart admitted that the malware was undetectable by its anti-virus software. That's why companies should not just be focused on stopping malware from getting in but also preventing it from actually executing and stealing data.”

Anyone who believes their credit or debit card data has been breached should contact cardholder services as soon as possible. Sears Holdings has also set up a customer line for any questions related to this incident: 888-488-5978.

Photo by Scott Olson/Getty Images