A Thing
The Green SheetGreen Sheet

Tuesday, June 6, 2017

New malware involved in second Kmart breach

Sears Holdings Inc. revealed May 31, 2017, that a data security breach occurred in its Kmart Stores division. A notice on Kmart’s website apologized for the incident, the second security breach in three years for the retailer.

Sears spokesman Chris Brathwaite previously disclosed a security breach of the Kmart brand in October 2014, one month after an investigation exposed unauthorized access of its payment data systems. As of this writing, it is unclear how many of Kmart’s 735 locations were affected. The company advised customers to “carefully review and monitor their debit and credit card account statements.”

Gareth Glynne, Senior Vice President, Retail Operations, for Sears and Kmart, said IT security experts have once again found and removed a form of malicious code in the company’s POS systems. Glynne credits EMV (Europay, Mastercard and Visa) technology for minimizing exposure to cardholder data and personal information, but said thieves could have used stolen credit card numbers to make counterfeit cards.

“Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation,” Glynne stated. “We are actively enhancing our defenses in light of this new form of malware. Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats.”

Patterns persist despite warnings

Csaba Krasznay, PhD, is Product Evangelist at Balabit, a global security technology firm established in 2000 and headquartered in Budapest, Hungary. Krasznay compared the Kmart breach to the TJX Companies Inc. incident that occurred more than a decade ago and involved data stolen from 100 million credit cards at its T.J. Maxx, Marshall’s and Bob’s Stores locations. The Kmart breach highlights the fact that no IT systems are safe if they hold something valuable, he stated.

TJX disclosed the data security breach Jan. 17, 2007, following the company’s December 2006 discovery of suspicious software in its POS systems. Subsequent investigations traced breaches to July 2005, when thieves exploited insecure Wi-Fi connectivity to access unencrypted personal data. A group of small banks sued TJX for fraud-related losses in April 2007. The theft is one of the largest recorded heists in payment card history and is still used as a case study in business schools.

According to Krasznay, The TJX incident helped strengthen the credit card companies’ efforts to promulgate the Payment Card Industry (PCI) Data Security Standard (DSS). “If Kmart was really able to avoid large scale data leakage, then we can be sure that PCI DSS is mature and useful enough in these circumstances, at this point,” he said.

Kmart Stores set up a toll-free hotline for customers who may have been affected by the breach. The company also plans to continually update its website with information pertaining to the ongoing investigation. end of article

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing