The discount retailer known for their Blue Light Specials has been added to the increasingly long list of companies in 2014 that have experienced serious data breaches. On October 9, 2014 Kmart’s IT team discovered that its payment data systems were hacked. They believe that the data breach began in early September, snuck past its anti-virus software and went undetected for over a month.
Like the Home Depot data breach and other recent cyber-attacks, Kmart has stated that malicious software was inserted into its point-of-sale systems compromising debit and credit card data. However, after conducting ongoing, in-depth forensic investigation, the discount retailer has promised in a letter on its website that no personal information, debit card PIN numbers, email addresses, or social security numbers were obtained by the cyber criminals.
Kmart has not provided any specific details on how many of its 1,100+ brick and mortar stores were affected or how many debit and credit cards were breached. They have said that there is no evidence that their online business, www.kmart.com, was compromised.
Following the discovery on the 9th, Sears, Kmart’s parent company, submitted a filing on October 10th with the Securities and Exchange Commission (SEC) notifying the public of the data breach.
Kmart began working diligently with its IT security firm, banking partners and law enforcement agencies to investigate and mitigate the situation. The malware was immediately removed. The retailer hasn’t provided details on what type of malware it was or how it got on its machines.
Some security experts are speculating that it may be a version of the malicious software package referred to as “Backoff” that the Department of Homeland Security (DHS) warned the public about in July 2014. In its advisory, DHS said that this malware had been used to infect more than 1,000 businesses, including the point-of-sale systems of some major retailers. The challenge is that most anti-virus software packages don’t protect from this type of malware as they are designed specifically to dodge anti-virus software.
Experts say that although they are using similar malware software, each data breach has had a different entry point. Most are going through remote-access tools used by employees and vendors accessing systems from other locations. Once the criminals gain access remotely, they are able to install the malware on the organization’s systems. In the case of point-of-sale systems, the malware then transfers the payment information back to the criminals’ servers.
Following in the footsteps of Home Depot, Kmart is trying to make amends with its customers by offering free credit monitoring protection for one year for any customer who used their debit or credit card in a store between September 1 and October 9. Customers will not be liable for any unauthorized charges made on their cards as long “as they report them in a timely manner.”
These data breaches are having significant financial impact on the companies that have had their systems compromised. Many security experts have said in recent months that it is becoming more evident that businesses aren’t investing enough to safeguard their data and systems from these cyber-attacks – and protect their mission-critical data and their customers’ personally-identifiable information.