Hackers Return to Kmart

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Every retailer wants to grow its repeat visitors, as measured by same store sales improvement. However, no retailer wants hacker visitors to return, but that's precisely what has happened at discount retailer Kmart, which confirmed a data breach on June 1.

"Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls," a Kmart FAQ on the data breach states. "Once aware of the new malicious code, we quickly removed it and contained the event."

Kmart, which is owned by Sears Holdings, has not fully disclosed how many card holder may have been impacted or how many of its locations were at risk.

The company did note that the exposure of data was limited to some card holder information but did not include any personally identifiable information (PII).

"All Kmart stores were EMV 'Chip and Pin' technology enabled during the time that the breach had occurred and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited," the company stated. "There is no evidence that kmart.com or Sears customers were impacted nor that debit PIN numbers were compromised."

The new breach at Kmart is the second time in three years that the retailer has publicly disclosed it was the victim of a data breach. In October 2014, Kmart reported that it was the victim of a PoS data breach.

Robert Capps, authorization strategist and Vice President of NuData Security, wrote in an email to eSecurityPlanet that in his view, the security of payment card data is still proving to be difficult for some online and bricks-and-mortar retailers.

"Consumers should monitor the transactions on any account linked to credit or debit cards they have used in a Kmart store and report any fraudulent transactions to their bank as soon as they are identified," Capps said. "Given the brisk migration to a chip-and-pin system, we are unlikely to see the stolen credentials used for in-person payments, but they can be used for online transactions. "

As was the case with Kmart's first breach in 2014, the company noted it was the victim of new malware that was undetectable. Nir Polak, CEO of security vendor Exabeam, expects malware writers to outpace anti-malware software, so the signatures and rules used to detect new outbreaks will always fall short.

"We will likely find that this attack started with a stolen credential, used to inject the malware into Kmart’s networks," Polak wrote in an email sent to eSecurityPlanet. "In this modern operating environment, better behavioral analysis — focused on both use of credentials and on the system processes that are spawned from malware — is the best way to detect and shut down these attacks."

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.