KrebsOnSecurity has reported a potential breach of credit card information that is supported by evidence from financial industry sources, including banks and credit unions, at Kmart locations where non-chip credit cards were used. The breach seems to only affect those cards, but it may be as wide reaching as all of Kmart’s 735 locations. This comes on the heels of several other high profile breaches of customer information, including Chipotle, GameStop and Home Depot, and probably won’t do much to help Sears Holding’s grasp on the retail market as they close hundreds of stores nationwide.
In a statement from Sears spokesman Chris Braithwaite,
We recently became aware that Sears Holdings was a victim of a security incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores. We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network.
Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls. Once aware of the new malicious code, we quickly removed it and contained the event. We are confident that our customers can safely use their credit and debit cards in our retail stores.
Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers, and email addresses) was obtained by those criminally responsible. However, we believe certain credit card numbers have been compromised. Nevertheless, in light of our EMV compliant point of sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is also no evidence that kmart.com or Sears customers were impacted.” (Emphasis belongs to KrebsOnSecurity.)
This breach mirrors Sears’ 2014 incident where again the company denied that any personally identifying information was leaked. The company has also stated that there is no evidence “that debit PIN numbers were compromised.” If you believe you are a victim of this breach, you should contact your bank or credit card company immediately and have a new card issued to you.
Since shopping online still seems to be safe, you can head over to Kmart.com or Sears.com if you want to take advantage of their sales and deals without worrying about your info being stolen. Don’t forget to follow us on Facebook and Twitter for more retail and consumer news!
Featured image by Mike Mozart on Flickr.