In Kmart's Armed Data Breach, Police Somehow Not Told Everything

When a Kmart (NASDAQ:SHLD)suffered the loss of sensitive pharmacy customer information in mid-March during an armed robbery, Sears officials and lawyers quickly reviewed details and made sure to follow all federal rules—especially HIPAA guidelines. Somehow, though, Kmart never got around to mentioning the data loss to the police, who were never able to find the gunman because the only physical evidence he took with him—a disk containing that day's data backup—was unknown to them, thanks to Sears.

The Little Rock, Arkansas, police investigating the armed robbery—where the gunman slashed the assistant manager's tires to distract him before ordering him at gunpoint to open the safe—were not happy about being kept in the dark and possibly lied to.

The investigating detective, Det. Julio Gil, "only learned of the cartridges being stolen from Kmart when he was called by media," said Sgt. Cassandra Davis, who is in charge of the Little Rock Police Department's public affairs unit. What prompted those media calls was an April 22 national news release from Kmart, which they issued a month and five days after the robbery happened. (Such a statement is required by HIPAA within 60 days.)

When investigating the incident, police asked the Kmart assistant manager whether anything other than the money had been taken and police were told that nothing else had been taken. After receiving those media calls more than a month later, Det. Gil "called Kmart and Kmart only then confirmed. He had to call them and ask about it before he learned what (the gunman) had actually taken. No one from Kmart made a report," Davis said, meaning that no supplemental report was filed after the initial report said that only about $6,000 cash was taken.

That omission was key as the backup disk was the only piece of physical evidence the suspect took with him. Did the gunman take it home with him? If so, might detectives have seen it in plain sight when interviewing suspects in their homes? Might he have thrown it away, possibly leaving fingerprints on the item in a nearby trashcan? Might he have tried selling the disk or disks (the number of disks is unclear) to a pawnshop or EBay, areas that Little Rock police are well skilled in tracking?

When Davis was asked whether the department was considering a false police report claim, she said no, that the circumstances would be closer to interfering with a police investigation. But the department is not prepared now to file that charge, either.

"We would have liked them to report everything. They could be charged with obstruction, but in this case, no charges are planned," Davis said, adding that charges would have been filed "if the detective had been able to prove that there was a deliberate attempt to obstruct."

That brings us back to the retail IT issue and, more broadly, a retail structure issue. This case brought together two areas of retail security that rarely come together: a direct physical attack (pointing a gun to the head of an employee, ordering that a safe be opened) and data management security issues (PCI, HIPAA and Sarbanes-Oxley type of issues, plus the occasional data breach by way of remote access).

Put another way, it's the more genteel procedures of corporate IT versus the more physical issues of store-level Loss Prevention.Put another way, it's the more genteel procedures of corporate IT versus the more physical issues of store-level Loss Prevention. A shoplifting incident, even a violent one, is typically handled at the local level, whereas a data breach (even a small one) almost always is handled by corporate IT. The most innocuous explanation for this incident is that the assistant store manager didn't recall that there was a backup disk in the safe (loaded guns aimed at an employee's head tends to unnerve people) and discovered it hours or maybe days later. By that point, the entire investigation had been turned over to corporate so he might have assumed that corporate would update police. And given that corporate IT never had contact with local police, that might not have occurred to any of those team members either.

The most sinister explanation is that losing a disk of unencrypted highly-sensitive customer data—governed by federal rules—was highly embarrassing and no one wanted to mention it to police, even though there was an armed gunman loose and that piece of information might have made a difference.

Sears opted to not shed any light on how this happened. "As this is an open investigation, we have no further comment," said Shannelle Armstrong-Fowler, director of public relations for Sears Holdings, which owns both Sears and Kmart. Note: That particular reason to not comment doesn't quite fit this case. That's what you're supposed to say when the police ask you to keep crime scene details private, so that the actual crook doesn't know everything that the police know. In this case, the issue in question—the disclosure of the backup disk being stolen—has already been announced by Sears and the details of the information withheld has been discussed openly by the police. But it still sounds good, as though Kmart's being a good corporate citizen and not wanting to interfere with a police investigation—let perhaps withholding key details about what happened.

The reality of this situation, from a retail structure perspective, is that police need to know all details and they can't have retailers deciding which details may or may not be crucial to an armed robbery investigation. That means that policies must be in place to immediately share data with all relevant parties, at both the local and corporate level. If an armed robber is not caught because of a Sears internal communication flow breakdown, that is a stunningly serious implication.

There is precedence for this, but generally only when the coordination is from local LP personnel with corporate LP personnel and management. But data-sharing and law enforcement coordination between IT and LP is rare. They work with each other (helping to review POS records or E-Commerce logs to help identify a shoplifter) but they rarely work with the same people. Secret Service? IT (unless it's a counterfeit money issue). Local police? LP. FBI? Split. The cyberthief FBI folk are almost solely working with IT while major crimes involving the stores (kidnap, mass shooting) are the FBI people that work almost solely with LP.

All indications thus far are that this particular Arkansas gunman just wanted money and the disk was most likely discarded. But now that Sears has told the world that it's stores keep thousands of that day's most sensitive transactions in a store safe—and that they are fully unencrypted and not even password-protected—it's quite possible that identify thieves and other cybercrooks may try breaking in, either by stealth or possibly even using the violent methods described here.

If that does happen, new levels of coordination are going to be needed. The next such information being withheld might push police to file those obstruction charges, especially because lack of corporate data-sharing is an answer that grow old really quickly. And in the meantime, Sears, can you please encrypt backups of ultra-sensitive data? If you won't do it for traditional data security reasons, maybe you can do it to avoid tempting armed attackers?