Sears Holding Co. notified customers late Friday that they discovered their point-of-sale registers at its Kmart stores were compromised by malicious software that stole customer payment information. The company said it has removed the point-of-sale malware from the stores registers and has contained the breach, but the investigation is currently ongoing.
“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”
According to the companies investigators, Brathwaite told Krebs on Security, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems. Our IT teams quickly removed that malware, however we do believe that debit and credit card numbers have been compromised.”
Brathwaite told Krebs that stolen data only included “track 2” data from customer credit and debit cards, information pertaining to customers names, email address, physically address, Social Security numbers, PIN numbers or other sensitive information were not compromised during the breach.
He did acknowledge the fact that with the stolen information, thieves have the ability to create counterfeit copies of the cards allowing them to commit fraud. Thus far, according to Brathwaite, Sears has not identified any cards stolen in the data breach being used fraudulently.
In Kmart’s official statement, Alasdair James, President and Chief Member Officer at Kmart said the company is working closely with the FBI to investigate the matter. Customers affected in the breach will be offered free credit monitoring protection, as comes usual with large scale breaches.
Sears has said that the point-of-sale malware did not travel outside their Kmart stores, no malware was found at any Sears or Roebuck locations.
Information regarding the breach is limited as Kmart only released a small security statement on their homepage regarding the data breach.