Sears confirms a new malware attack on Kmart

Register now

Kmart has been hit with a malware attack that has resulted in the compromise of payment card credentials for the second time in three years.

Sears Holdings Corp., which owns Kmart, is reporting that hackers have targeted some of its Kmart stores through malware and have engaged in unauthorized activity on some of its customers' credit cards, according to the company's blog.

Kmart did not escape the flood of retail data breaches in late 2014, suffering a malware attack on the heels of other major breaches at Target, Home Depot and Neiman Marcus.

Sears did not reveal how many credit card numbers were exposed, but indicated that no personal information such as names, addresses, social security numbers or e-mail addresses were stolen.

The company said it has removed the hackers' code and that customers can safely use their credit or debit cards at its stores. It also does not appear that or Sears customers were affected, an indication that the attack likely focused on Kmart store payment terminals.

Sears acknowledged that its payment network was infected with malicious code that its current anti-virus protections and application controls could not detect.

Based on a report by security investigator Brian Krebs more than a week ago, it is likely that Sears and Kmart learned of the possibility of a breach from smaller banks and credit unions. In his blog, Krebs said his discussions with those institutions earlier this month made him believe malware had again infected Kmart's network.

Security experts were quick to weigh in on Kmart's latest troubles, and what the expected outcome will be for consumers and other merchants.

“The security of payment card data is still proving to be difficult for some online and bricks-and-mortar retailers," Robert Capps, authorization strategist and vice president of NuData Security, said in a media statement.

"Given the brisk migration to a chip-and-pin system, we are unlikely to see the stolen credentials used for in-person payments, but they can be used for online transactions," he added. "As we mentioned after the previous Kmart breach, data may not be used right away, but down the road, it can be matched with data from other breaches to build a more complete user profile."

For reprint and licensing requests for this article, click here.