Kmart appears to be dealing with a malware-based security breach of the payment card processing systems in some of its stores, according to KrebsonSecurity, which reported that it was told by some banks that they had received alerts from credit card companies warning them about stolen cards that had previously been used at Kmart locations.
Kmart parent Sears Holdings admitted to Krebs in a statement that it was the “victim of a security incident,” and that it believes some credit card numbers were compromised, but added, “Based on the forensic investigation, NO PERSONAL identifying information (including names, addresses, social security numbers and email addresses) was obtained by those criminally responsible.”
The retailer said the malicious code used in this incident “was undetectable by current anti-virus systems and application controls.” Krebs noted that Kmart was affected by a similar security breach back in October 2014.
There are a lot of unknowns about this incident — how many Kmart stores were affected, how long the attack lasted (some malware attacks have gone on for months undetected) and to what extent credit card numbers were compromised.
This is yet another example of a security attack that was not intentionally made public by the retailer that was affected, and another case in which the retailer still isn't saying much even now that it has been made public. There have been several security attacks on retailers within the last couple years that were made public only by KrebsonSecurity's reporting.
Retailers in many cases have moved to reassure customers once the attacks were made public, and that's what Kmart is doing in this case, though it would be helpful to know why it believes no personal identifying details of customers were compromised. In response to the attack, the company said it is updating its security protections, though the admission that its previous security systems failed to detect the malicious code is not very reassuring, as that is exactly what Kmart said when it suffered a similar malware attack back in late 2014.
There is a sense with ongoing attacks that regardless of how retail industry responds or what it does, it remains one step behind the criminals. News of this attack comes just a couple of weeks after a malware attack on the store payment systems of Brook Brothers.
The hits keep coming, and while it doesn't appear that customers are walking away from victimized retailer en masse, although there may be a turning point at which that happens. A KPMG study last year said almost 20% of consumers would stop shopping at a retailer affected by an attack, but that left a lot who still would shop at that retailer. For retailers, cybersecurity risks are higher than ever, and if customers want real change in how companies handle these types of attacks they may need to start voting with their wallets.