Even with fewer stores and sales floors full of boxes, Kmart is still an attractive target for ne’er-do-wells: The retailer has found itself on the receiving end of another hack attack, just three years after its last security breach.
Sears Holding Corp. revealed Wednesday that it was the victim of a security incident involving unauthorized credit card activity following some customer purchases at Kmart stores.
The company did not provide details on how long the attack took place or what specific stores were affected by the breach. However, Kmart did notify customers of the breach via email Wednesday. It’s unclear if that letter went to all customers or just those thought to be affected.
After such a recent hack attack, you might be wondering how Kmart, and Sears Holdings, could not be prepared for a second go-around. As it turns out, the malicious code used to used to infect Kmart’s store payment data systems was undetectable to current anti-virus systems and application controls, says Sears Holdings.
Sears Holdings says that it immediately launched an investigation into the incident and hired third-party forensic expert to review its systems and secure the affected network.
“Once aware of the new malicious code, we quickly removed it and contained the event,” Sears Holdings said. “We are confident that our customers can safely use their credit and debit cards in our retail stores.”
Based on its investigation, Sears Holdings believes that no personally identifying information — such as names, addresses, Social Security Numbers, or email addresses — was obtained.
However, the company does believe that some credit card numbers have been compromised. But because the company rolled out new EMV (also known as chip-and-PIN) point-of-sale systems last year, it believes the exposure of cardholder data that could be used to make counterfeit cards is limited.
So far, the company says there is no evidence to suggest that kmart.com or Sears customers were impacted by the hack.
“Given the criminal nature of this attack, Kmart is continuing to work closely with federal law enforcement authorities, our banking partners, and IT security firms in an ongoing investigation,” Gareth Glynne, senior vice president of retail operations, said in a letter to customers. “We are also actively enhancing our defenses in light of this new form of malware.”
Wednesday’s breach announcement comes nearly three years after the last attack on Kmart’s payment system. In Oct. 2014, the company revealed that its systems had been breached the month before.
In that incident, Kmart noted that in-store payment systems were infected with malware, and an unknown number of credit and debit card numbers were stolen. But like the new breach, an investigation suggested that no personal information was affected.