Sears announces another malware attack on Kmart’s payment system

Biometrics and Fingerprint Scan Security Technology Concept with Kmart Logo | Composite Image, St. George News

ST. GEORGE — Kmart is fighting a malware security breach of its credit card processing systems, the second cyber attack on the big box retailer in less than three years.

Kmart’s parent company, Sears Holdings Corp., released information outlining the malware attack after the company discovered unauthorized credit card activity following certain customer purchases at Kmart stores.

We immediately launched a thorough investigation and engaged leading third party forensic experts to review our systems and secure the affected part of our network,” the company said in a statement released Wednesday.

This 2016 file photo shows the storefront of the Kmart located in St. George, Utah, Jan. 13, 2016 | Photo by Ric Wayman, St. George News

The preliminary investigation revealed that no personal identifying information, including names, addresses, social security numbers or email addresses were obtained by the suspects during the attack.

“However, we believe certain credit card numbers have been compromised,” the statement said.

Hackers appeared to infiltrate payment data systems with malicious code that was undetectable by existing antivirus systems. Upon discovery, the company the code was removed and the system contained.

“All Kmart stores were EMV ‘Chip and Pin’ enabled during the time the breach occurred, and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited,” Sears Holding’s statement said.

EMV “Chip and Pin” technology is a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions, according to information obtained from

The company also claims there is no evidence that or Sears customers’ debit PIN numbers were compromised, and there is no evidence that the attack will impact customers.

We are confident that our customers can safely use their credit and debit cards in our retail stores,” the statement said.

Kmart Stores also released a statement Wednesday advising consumers that they have no liability for any unauthorized charges according to most credit card company policies, if reported to the company in a timely manner.

The company battled a similar breach in October 2014 where the company stressed that no personal information or data was stolen.

Both attacks involved malware designed to steal credit and debit card data from point-of-sale, or POS, systems and then makes copies the data stored on the card’s magnetic strip. The data can then be used to clone the cards to be used for purchases.

Sears has engaged with third party forensic experts to get its systems reviewed, the company said, and is working closely with federal law enforcement authorities and IT security firms in the ongoing investigation.

Data security is of critical importance to our company,” Sears Holdings said, “and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats.

The company declined to comment further on the breach when reached by St. George News, saying, “we do not comment on or discuss ongoing investigations.”

The Federal Trade Commission suggests incorporating a few practices into a daily routine can help keep cards and account numbers safe.

  • Don’t give account numbers to anyone on the phone unless you’ve made the call to a company you know to be reputable. If you’ve never done business with them before, do an online search first for reviews or complaints.
  • Carry your cards separately from your wallet. It can minimize your losses if someone steals your wallet or purse. And carry only the card you need for that outing.
  • During a transaction, keep your eye on your card. Make sure you get it back before you walk away.
  • Never sign a blank receipt. Draw a line through any blank spaces above the total.
  • Save your receipts to compare with your statement.
  • Open your bills promptly — or check them online often — and reconcile them with the purchases you’ve made.
  • Report any questionable charges to the card issuer.
  • Notify your card issuer if your address changes or if you will be traveling.

Email: [email protected]

Twitter: @STGnews

Copyright St. George News, LLC, 2017, all rights reserved.

Free News Delivery by Email

Would you like to have the day's news stories delivered right to your inbox every evening? Enter your email below to start!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.