Retailer Sears Holdings has become the latest victim in a series of internet security breaches at US companies.
The company said the information technology team at its Kmart stores detected a breach at payment data systems starting in early September.
"According to the security experts we have been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems," the company said in a statement.
"We were able to quickly remove the malware. However, we believe certain debit and credit card numbers have been compromised."
Sears added that it immediately launched an investigation into the matter and was working with a leading IT security firm.
No personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the hackers, the company said based on its forensic investigation. There is also no evidence that kmart.com customers were impacted.
The company added that it was working closely with federal law enforcement authorities, its banking partners and IT security firms in the ongoing investigation, as well as deploying advanced software to protect customer data.
Those who shopped at Kmart stores during the month of September through 9 October will get free credit monitoring protection, Sears said.
"We sincerely apologize for any inconvenience this may cause our members and customers," the company said.
"We want our members and customers to be aware of the situation and we suggest that customers carefully review and monitor their debit and credit card account statements. If customers see any sign of suspicious activity, they should immediately contact their card issuer."
Sears Holdings operates through its subsidiaries, including Sears, Roebuck and Co and Kmart Corporation, with more than 2,350 full-line and specialty retail stores in the US and Canada.
Earlier, restaurant chain Dairy Queen said it was hit by a security breach impacting nearly 400 of its restaurants around the country.
Other US companies that were hit by cyber attacks in recent times include JP Morgan, Fidelity Investments, Home Depot, Michaels Stores, Neiman Marcus and Target.