Customer credit card information has been hacked from Kmart’s payment system, the company announced in a letter and announcement on their website.
The Kmart parent company, Sears Holdings, is currently working with federal authorities to investigate the security breach and says no personally identifying information, such as customer names or social security numbers, were stolen with the credit card data.
There does appear to be evidence that the attackers have used the stolen data to create counterfeit cards and make purchases on those cards, Sears senior vice president Gareth Glynne said in a message posted to the company’s website.
Kmart Investigating Payment Security Incident
May 31, 2017
To Our Members,
I am reaching out to inform our loyal Kmart customers of a recent payment security incident. We recently became aware Kmart was a victim of a security incident involving unauthorized credit card activity after certain customer purchases at some of our stores. We immediately launched a thorough investigation and engaged leading IT security experts to review our systems and secure the affected part of our network.
Our investigation to date indicates our Kmart store payment data systems were infected with a form of malicious code (similar to a computer virus) that was undetectable by current anti-virus systems. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.
Based on the forensic investigation, NO PERSONAL identifying information – including names, addresses, social security numbers, birth dates and email addresses – was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. All Kmart stores were EMV “Chip and Pin” technology enabled during the time that the breach occurred, and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is no evidence that kmart.com or Sears customers were impacted nor that debit PIN numbers were compromised.
It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner. We suggest that customers carefully review and monitor their debit and credit card account statements. We sincerely apologize for any inconvenience this may cause our members and customers.
Given the criminal nature of this attack, Kmart is continuing to work closely with federal law enforcement authorities, our banking partners, and IT security firms in an ongoing investigation. We are also actively enhancing our defenses in light of this new form of malware. Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats.
Customers who wish to access the most up-to-date information can learn more at our website, kmart.com, or contact our customer care center at any time at 888-488-5978.
Sincerely,
Gareth Glynne
Senior Vice President
Retail Operations, Sears & Kmart
It was not revealed when the breach occurred or how many customers were affected by it.