Kmart has suffered a data breach affecting an unspecified number of its 735 U.S. locations.
On Wednesday, the big box retailer owned by Sears Holdings Corp. warned customers that "some, not all" of its stores' point-of-sale systems had been infected by malware that exposed their payment card data to attackers.
"We believe certain credit card numbers have been compromised," Sears spokesman Howard Riefs tells Information Security Media Group. He says the breach appears to have only affected some Kmart stores, and it did not hit Sears stores or any websites.
"We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores," Riefs says. "We immediately launched a thorough investigation and engaged leading third-party forensic experts to review our systems and secure the affected part of our network."
Kmart says it's working with law enforcement agencies. It issued a data breach FAQ containing more information.
The malware that hit Kmart "was undetectable by current anti-virus systems and application controls," Riefs contends. "We are actively enhancing our defenses in light of this new form of malware."
Similarly, back in 2014, Kmart said that it had been hit by a "new form" of malware that compromised customers' payment card data.
Kmart says the malware infections have been eradicated. "We are confident that our customers can safely use their credit and debit cards in our retail stores," Riefs says. It has also published a breach alert to customers on its website.
The retailer declined to comment on when the malware infection began or was contained, how many stores were affected and how attackers were able to get the malware onto POS systems. "As this is an ongoing investigation, I'm not able to provide a specific number nor a timeframe for the incident," Riefs tells ISMG.
News of the breach investigation was first reported by security blogger Brian Krebs.
No Mention of Fraud Risks
Kmart hasn't specified what type of malware was used or what data was compromised. But POS malware targets track data from cards. That includes a cardholder's name, plus the number, verification code and expiration date of the card.
Anyone whose credit or debit card was exposed to the POS malware is at risk from online fraud. In addition, anyone who was using a card that does not have an EMV chip could see their details cloned and used to create counterfeit cards.
In its communications, however, Kmart downplays the data loss.
"In light of our EMV-compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited," Riefs says.
Indeed, any U.S. card that carries an EMV chip, as part of U.S. issuers' ongoing move to a "chip and signature" system, would be difficult and expensive for criminals to counterfeit. That's because the EMV chip creates and transmits a one-time code that's required for the transaction to go through.
But not all cards have an EMV chip. Furthermore, EMV chips do nothing to prevent card data from being stolen and used for online fraud.
Kmart's message to consumers, however, never mentions the word "fraud," as in the risk facing customers whose payment card details have been stolen. The alert, however, links to a Federal Trade Commission web page dedicated to preventing identity theft.
The alert also states: "It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner."
Under U.S. consumer protection laws, however, consumers' liability actually is limited to $50 for a credit card, provided they report suspected fraud to their card issuer in a timely manner. Debit card users have just 48 hours to report suspected fraud to their bank to get the $50 liability limit. After that time period, they could be liable for up to $500 if the fraud is reported up to six months later.
That's one reason why many data breach experts recommend never using debit cards to make purchases at retailers.
Times are Tough
The data breach alert comes at a difficult time for Kmart, which has seen its fortunes continue to flag over the last decade.
The retailer bought its former rival, Sears, for $11 billion in 2004. Since then, however, the combined company has lost ground not just to e-commerce but also changing consumer tastes and habits, which in recent years have increasingly favored rivals such as Walmart and Target. Kmart's inability to run its operations as efficiently as those rivals, as well as keep shelves stocked, some analysts say, means rivals are often able to aggressively undercut its prices.
In March, Kmart warned in a Securities and Exchange Commission filing that it had "substantial doubt" about its ability to stay in business unless it could secure more credit.
"Our historical operating results indicate substantial doubt exists related to the Company's ability to continue as a going concern," the company's SEC filing states.