Kmart recently announced that customer payment card numbers were exposed when its payment data systems were infected with “a new form of malware that was undetectable by current anti-virus systems” from early September to early October of 2014.
BBC News reports that all 1,200 Kmart locations in the U.S. were affected by the breach.
“On Thursday, Oct. 9, 2014 our IT team detected that our Kmart store payment data system had been breached and immediately launched a full investigation working with a leading IT security firm,” Kmart president and CMO Alasdair James said in a statement. “The security experts report that beginning in early September, the payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus).”
According to the statement, no online customers appear to have been affected.
“Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, our banking partners as well as security experts in this ongoing investigation,” James added.
In an online FAQ [PDF], the company stated, “Our IT teams quickly removed the malware and we are deploying further advanced software to protect our customers’ information. And it’s important to note based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no Social Security numbers were obtained by those criminally responsible.”
Still, RedSeal Networks chief evangelist Steve Hultquist told eSecurity Planet by email that it’s telling that the breach had already been in process for a month when it was discovered. “This underscores the reality that is a warning to every enterprise: you don’t know what you don’t know,” he said. “Uncovering the invisible is extremely difficult, and it requires insight that is often lacking.”
That means having a current, complete, and accurate map of your entire network, Hultquist said, including “the complete set of potential paths through the network (that likely number in the millions) and being sure that together they comply with your enterprise network security architecture and policies.”
Kmart’s breach is the latest in a series of recent major point-of-sale breaches at retailers. Dairy Queen last week acknowledged that almost 400 of its stores were infected with the Backoff point-of-sale malware; Jimmy John’s admitted in late September 2014 that customer payment card data was stolen from 216 of its stores and franchisees; Home Depot announced in September 2014 that information on 56 million payment cards was exposed by point-of-sale malware; and Supervalu stated in August 2014 that payment card information had been stolen from 180 of its stores.
The U.S. Department of Homeland Security recently issued an advisory warning that more than 1,000 U.S. businesses had already been infected with the Backoff point-of-sale malware.
“DHS strongly recommends actively contacting your IT team, antivirus vendor, management service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised,” the advisory stated.