Kmart hack: Parent company Sears says customer credit card data compromised in data breach

Sears Holdings, parent company of American retail chain Kmart, said on Wednesday (31 May) it discovered a security breach of its Kmart store payment card systems, compromising customers' credit card numbers.

The company said its Kmart store payment data systems were infected with a form of malicious code that was undetectable by its anti-virus systems and application controls.

"We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores," the company said in a statement to security expert Brian Krebs, who first reported the breach. "We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network."

"Once aware of the new malicious code, we quickly removed it and contained the event," the company added. "We are confident that our customers can safely use their credit and debit cards in our retail stores."

Sears stressed that customers' personal data such as names, addresses and social security numbers were not accessed in the attack. However, it admitted that certain credit card numbers were compromised, but did not specify how many.

"In light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited," Sears said. There is no evidence that Kmart.com or Sears customers were impacted or any debit PIN numbers were compromised in the attack.

Sears did not reveal when the breach occurred, name any suspected perpetrators behind the cyberattack or mention how many Kmart stores were affected.

There are 735 Kmart stores across 49 states in the US. Finance industry sources told KrebsOnSecurity that the breach did not seem to be affecting all Kmart stores.

The company has launched an investigation and is working closely with federal law enforcement authorities, banking partners and third party security firms to review its systems.

In 2014, Sears' Kmart stores suffered another similar breach in which its point-of-sale registers were infected with malicious software to steal customers' payment card data.

"We are actively enhancing our defenses in light of this new form of malware," it said. "Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats."