POS malware hits Kmart

Kmart (the US Company owned by Sears; not the Australian company owned by Wesfarmers) can be added to the growing list of retailers in the USA that have suffered a data breach in the last year. The latest breach has been attributed to malware installed in the retailer’s POS systems.

A statement on the company website reads in part “On Thursday, Oct. 9, 2014 our IT team detected that our Kmart store payment data system had been breached and immediately launched a full investigation working with a leading IT security firm.” The statement goes on to say that “payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus). “

Worse still, it looks like the initial infection of the malware took place in early September. Sears holdings have stated that the POS malware has now been removed. However, some customer data may have been stolen. The data stolen from customer cards appears to be restricted to the credit/debit card numbers. Customer names, mailing/emailing addresses and PINs were not stolen. The theft of customer details has been considered serious enough for the US Secret Service to be involved.

The breach has affected approximately 1200 stores across the US. At this stage, the number of customers affected is unknown. Based on the information stolen from the POS systems, fake credit/debit cards could be created, although (as yet) no fraudulent activity has been observed. Brian Krebs is closely monitoring this latest data breach.

Figure A illustrates a “Year of High Profile POS Data Breaches” from November 2013 to November 2014.