Kmart confirms month-old data breach, payment card data stolen
First via a filing with the US Securities and Exchange Commission, and then via a press release, Sears Holding Corporation has confirmed a month-old breach that affected POS systems at its Kmart stores.
The breach was discovered on October 9 by Kmart’s Information Technology team, and the company immediately hired a “leading IT security firm” to help in the investigation.
“The investigation to date indicates the breach started in early September. According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” they shared, and said that while they were able to quickly remove the malware, they still believed that certain debit and credit card numbers have been compromised.
This Track2 data can be used to clone payment cards, but until this point there is no evidence that the criminals have done so and started using them to make fraudulent charges.
It seems so far that no personal information, debit card PIN numbers, email addresses and social security numbers were compromised. Customers who shopped online on Kmart.com are so far believed not to have been affected.
The company made sure to note that affected that customers have no liability for any unauthorized charges if they report them in a timely manner. To further protect our members and customers who shopped with a credit or debit card in our Kmart stores during the month of September through yesterday (Oct. 9, 2014), Kmart will be offering free credit monitoring protection,” the company added.
The investigation is still ongoing, and the company made sure to note that affected customers will not be held liable for any unauthorized charges if they report them “in a timely manner.”
In the meantime, the company will be offering free credit monitoring protection to anyone who used his or her payment card at Kmart from the beginning of September to (and including) October 9, 2014.
They have also said that they have deployed “further advanced software” to protect their customers’ information, but haven’t offered more details.