Kmart Discloses Widespread Credit-Card Theft

News
By published

The retailer said data-stealing malware was found in its payment systems, but did not reveal the number of stores or customers affected.

Large companies, like politicians, know that the best time to release bad news is on a Friday afternoon, especially before a holiday weekend. A newly disclosed data breach at Kmart fits the pattern.

"On Thursday, Oct. 9, 2014, our IT team detected that our Kmart store-payment data system had been breached and immediately launched a full investigation working with a leading IT security firm," a statement attributed to Kmart President Alisdair James and posted on the Kmart website late today (Oct. 10) read.

"The security experts report that beginning in early September, the payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus)," the statement continued. "This resulted in debit and credit card numbers being compromised."

MORE: How to Protect Yourself from Data Breaches

Kmart did not enumerate how many Kmart customers might be impacted or how many Kmart stores may have been compromised. But the statement did say that "no personal information, no debit-card PIN numbers, no email addresses and no Social Security numbers were obtained by those criminally responsible," and that Kmart.com had not been affected.

A spokesman for Sears, which owns Kmart, told independent security reporter Brian Krebs that "our systems were infected with a form of malware that was currently undetectable by anti-malware systems."

The malware has not been named, but it's possible it was the Backoff point-of-sale data-stealer, which has been blamed for both the theft of 56 million payment cards from Home Depot disclosed last month, and the breach of Dairy Queen's payment systems disclosed yesterday.

Backoff infects the point-of-sale card readers in retail stores, capturing card data in the split second before it's encrypted by the reader. Neither Home Depot's nor Dairy Queen's security software detected it. (A different point-of-sale card stealer infected Target Stores last year.)

Kmart reassured its customers that they would bear no liability for fraudulent charges if the charges were duly reported to card issuers, and offered "free credit monitoring protection" to anyone who used a payment card at a Kmart retail store from Sept. 1 until yesterday.

Concerned customers can also call Kmart at 888-488-5978.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseilFollow Tom's Guide at @tomsguide, on Facebook and on Google+.

See more Computing News
TOPICS
Paul Wagenseil
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Latest in Online Security
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Saturday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
More about online security
Hacker using a stolen social security card

Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
A magnifying glass on top of the Steam logo in a web browser

Valve just pulled a malicious game demo spreading info-stealing malware from Steam
NYTimes Connections

NYT Connections today hints and answers — Saturday, March 23 (#651)
See more latest
3 Comments Comment from the forums
  • Broodman
    The malware hit their internal data warehouse which could be customer data across any of the stores, not dependent on a point of sale hack.
    Reply
  • Mickiee
    Earth to retailers. Sign on with Apple or get with Europe’s chip-driven cards. DO NOT continue to send me magnetic backed cards, and then ask me three times a year to change all of my auto-pays again, and again.
    Reply
  • Ubrales
    Paul, thanks for the info!
    Reply