In a statement, published on 10 October this year, Kmart Company President Alasdair James acknowledged that the company has been recently a subject of a hack attack. On 9 October, 2014 Kmart’s IT team discovered their PoS (Point-of-Sale) systems to be infected by an unknown malware, similar to a computer virus. It seems the malware has been active from early September to the date it was discovered, all personal information of customers being endangered in this period.
‘The security experts report that beginning in early September, the payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus). This resulted in debit and credit card numbers being compromised.’, the statement says.
Although there is no evidence of any personal data stolen, Kmart is offering free credit monitoring protection to their customers for the above period.
→’The privacy and security of our customers information is of utmost importance to us, and we are committed to doing everything we can to safeguard our customers information in the face of a recent surge of data attacks. To further protect our members and customers who shopped with a credit or debit card in our Kmart stores during the month of September through yesterday (Oct. 9, 2014), Kmart will be offering free credit monitoring protection.’
The breach has been immediately overcome by Kmart’s IT team, but altogether with a leading IT company they are continuing investigation to gauge its full impact. No evidence of stolen credit card numbers, PIN numbers, Social Security or other customer data are showing so far, no evidence for Kmart’s online customers being affected either. ‘Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible. There is also no evidence that kmart.com customers were impacted.’, is stated in Kmart’s release.
This attack comes shortly after other retailers have been affected by similar issues. Last week the Dairy Queen restaurant PoS systems were hit by hackers as well, affecting over 400 of their places across 46 states. Shortly before that, on 29 September this year, sandwich restaurant Jimmy John’s 108 independent locations were infected with malware, earlier in the month Home Depot stores advised that information on 56 million payment cards was exposed by point-of-sale malware and just the previous month, in August this year, Supervalu supermarket chain announced that payment card information had been stolen from 180 of its stores.
On July 31, 2014 the Department of Homeland Security, known as just DHS in U.S., issued an advisory dealing exactly with point-of-sale malware. Its subject was the notorious Backoff malware but it can be an example how retailers should deal with cyber attacks in order to protect their customers’ data. Obviously large merchants are still underestimating the issue.
Security professionals say that it’s not a big surprise yet another major retailer is reporting a breach. Most of them do not have adequate systems for detecting cyberattacks, they believe, which means they will still remain easy prey for hackers.
Shawn Henry, a former cyber FBI officer, head of a cyber security firm CrowdStrike Services now thinks retailers need to do a better job of detecting breaches quickly before large numbers of customers data is stolen.The computer networks of retailers are so large that attackers are more than likely to find a way in, he told Reuters. ‘This is going to continue indefinitely until people change their practices,’ were his words.