Kmart apologizes to customers after month-long security breach
New malware infected payment systems, some cards likely 'compromised'
Discount store Kmart admitted some customers’ payment cards have likely been “compromised” as it became the latest mega retailer to fall victim to cyber-crims.
The parent of the chain, Sears Holding Corp, said the IT team discovered late Thursday that its payment systems had been breached, and further investigations indicate this had started early last month.
Security experts hired by the group found the the internal processing systems became “infected with a form a malware that was undetectable by current anti-virus [wares]”, the company said.
The retailer removed the malware but warned customers “certain debit and credit card numbers have been compromised”.
“Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible,” it added.
The policies of “most” credit card companies state customers do not have liability for unauthorised charges, but even so consumers could do without the hassle of the worry.
Federal investigators, unnamed security professionals and banking “partners” are working with Sears in a bid to unearth what happened, and Kmart said it is deploying “further advanced software” to prevent re-entry.
Alasdair James, president and chief member officer at Kmart, said:
“I sincerely apologize for any inconvenience this may cause our members and customers.”
Just days ago, US fast-food chain Dairy Queen confirmed it too had been hacked in August - it took six weeks to fess up - with malware harvesting customer names, payment card numbers and expiration dates from 395 outlets in its chain.
And only last month, Home Depot admitted 56 million bank cards are at risk after staff processed payments via malware-infected till.
Dealing with the aftermath of breaches is no laughing matter, and Target - attacked in 2013 when 40 million credit card number were pilfered - said this summer the expense of that security failure is running into hundreds of millions of dollars.
Despite the growing scale of the problem, a report by PWC, showed budgets set aside to deal with cyber security actually remained static for the sat five years.
“It is critical to fund processes that fully integrate predictive, preventive and incident-response capabilities to minimise the impact of these events,” said Mark Lobel, an advisory principal at the management consultant.
Tom Kellermann, chief cybersecurity officers with Trend Micro, told Reuters that retailers need to raise their game to deal with such attacks.
“It is debatable whether they [Kmart] had sufficient security in place to thwart these thieves,” he said, “the real question that needs to be asked is why haven’t they learned the lessons from the attacks on Target and others”. ®