For the second time in less than three years, Kmart has reported a security breach of its credit card processing systems.
In a statement made by parent company Sears Holdings, Kmart was "a victim of security" involving unauthorized credit card activity following some purchases at Kmart stores. The company immediately launched an investigation, according to Krebs On Security.
"Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores," the statement said.
Based on initial investigations, no personal identifying information was obtained by hackers. Following an EMV complaint at POS last year, Kmart installed new systems, so the exposure to cardholder data that can be used to create counterfeit cards is limited. The new systems accept chip-based cards, which are more secure, but not all banks have issued these types of cards to customers yet.
There is no evidence that Kmart's e-commerce business was impacted.
The Kmart spokesperson would not comment on how many locations were impacted, citing the ongoing investigation.
Sears announced a similar breach in October 2014. At the time, the company stressed that the stolen data did not include customer information such as names, emails and social security information. That incident was also a malware breach of credit and debit cards at POS.
Iboss Cybersecurity CEO Paul Martini issued the following statement about the possible impact of the breach on consumers:
"Retail stores and point of sale systems are obviously prime targets for hackers because stolen credit card data can be used or sold quickly. Retail companies also have extremely complicated networks with stores often distributed around the country. That combination creates an environment where legacy cybersecurity platforms cannot keep up with attacks. In this case, Kmart admitted that the malware was undetectable by its anti-virus software. That's why companies should not just be focused on stopping malware from getting in but also preventing it from actually executing and stealing data.”