Industry News

Kmart hacked – payment systems compromised by malware

It’s not proving to be a good year for US retailers, and it’s just got worse.

Kmart announced on Friday that it had detected a serious security breach involving its store payment data system, and that since at least early September debit and credit card numbers used at the retailer’s bricks-and-mortar stores had been stolen.

Kmart’s president Alasdair James summarised the situation in the advisory posted in a corporate section of Kmart’s website:

On Thursday, Oct. 9, 2014 our IT team detected that our Kmart store payment data system had been breached and immediately launched a full investigation working with a leading IT security firm. The security experts report that beginning in early September, the payment data systems at Kmart stores were purposely infected with a new form of malware (similar to a computer virus). This resulted in debit and credit card numbers being compromised.

Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible. There is also no evidence that customers were impacted. This data breach has been contained and the malware has been removed. I sincerely apologize for any inconvenience this may cause our members and customers.

Kmart says it hasn’t seen any evidence that anything other than the numbers of customers’ debit and credit cards have been grabbed by the hackers, but there will obviously be concerns that the situation might turn out to be worse than initially feared.

In what appears to becoming a common thread between recent retail hacks, the card numbers compromised appear to have been stolen from actual retail stores, and not from those who purchased goods via the company’s website.

Unfortunately, there isn’t much more information at present.

We don’t know how many credit and debit card numbers have been exposed (are we talking millions?), and nor has any information been shared regarding what malware might have been used (other than the phrase “a new form of malware”).

What we do know is that Kmart has informed the Secret Service, who are investigating.

Naturally, it would be wise for all those who have shopped at Kmart between early September and October 9th to keep a close eye on their credit and debit card account statements to see if there is any suspicious activity.

Concerned customers are also invited to contact Kmart’s customer care centre at 888-488-5978.

To the firm’s credit, the advisory was linked to from the homepage of, so – unlike some of similar victims in the recent past – Kmart cannot be accused of not being upfront with its customers about what has happened.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.