Kmart Says Card Data Stolen in Latest Retail Cyber Hack

Updated on
Kmart Store
A shopper stands outside a Kmart store in the Bronx borough of New York. Photographer: Jin Lee/Bloomberg

Sears Holdings Corp.’s Kmart discount chain, the latest victim of hacker attacks on retailers, said it detected a security breach this week and is investigating the incident with law enforcement officials.

The retailer’s information-technology team identified the breach on Oct. 9 and is working with a top security firm to assess the incursion, which happened in early September, Kmart said in a filing yesterday. Customer payment-card information was probably exposed by the attack.

“According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” the company said. “Kmart was able to quickly remove the malware. However, Kmart believes certain debit and credit card numbers have been compromised.”

A wave of data breaches at companies including Home Depot Inc., Target Corp. and Neiman Marcus Group Ltd. have pressured retailers to bolster database and credit-card processing security. Nationwide concerns about cyber intrusions have escalated after JPMorgan Chase & Co. recently disclosed that an attack by hackers exposed contact information of 76 million households and 7 million small businesses.

Kmart said it doesn’t appear that personal information, debit-card PINs, e-mail addresses or social security numbers were obtained by the hackers. Howard Riefs, a spokesman, was unable to provide the number of customers affected.

‘Advanced Software’

Kmart said in the statement that it’s working closely with federal law enforcement authorities, banking partners and IT security firms in the ongoing investigation and is “deploying further advanced software to protect customers’ information.”

Home Depot’s data breach between April and September put about 56 million payment cards at risk, the company said in September. The hackers used custom-made software to evade detection as they infiltrated computers at stores in the U.S. and Canada, relying on tools that haven’t been seen in previous attacks, according to the Atlanta-based home improvement retailer.

The company began investigating the attack on Sept. 2, immediately after banking partners and law enforcement raised alarms that its systems may have been infiltrated. Home Depot has said that while payment systems were hacked, there is no evidence that debit-card PINs have been compromised.

Discount Chain

Target has recorded $146 million in expenses as of Aug. 2 related to the discount chain’s breach in which data for 40 million accounts were stolen. Part of the expenses include an estimate on claims yet to be made by the credit card companies.

More than 100 lawsuits have been filed against Target relating to the breach, which contributed to the ouster of Chief Executive Officer Gregg Steinhafel in May. The chain also blamed the attack, which became public in December, for a sales decline in the fourth quarter.

Hackers also have attacked Supervalu Inc. and AB Acquisition LLC, the operator of the Albertsons supermarket chain.

Shares of Sears, based in Hoffman Estates, Illinois, fell 6 percent to $24.78 at the close in New York yesterday, taking its decline for the year to 38 percent.

The parent of Kmart is struggling to revive sales growth and is unloading assets to generate cash after nine straight quarters of losses.

Before it's here, it's on the Bloomberg Terminal. LEARN MORE