For the second time in less than three years, Kmart was hit by a malicious hack.
On Wednesday, May 31, Kmart’s parent company, Sears Holdings revealed that the chain was the victim of a security incident. The company became aware of the attack, which involved unauthorized credit card activity, following certain customer purchases made at some of its Kmart stores. Shoppers were alerted to the breach via email Wednesday evening.
The department store chain did not reveal the duration of the attack or how many stores were involved in the breach. However, it did confirm that no Kmart.com or Sears customers were impacted.
Specifically, store payment data systems were infected with a form of malicious code — similar to a computer virus — that was undetectable by current anti-virus systems and application controls. Upon learning of the breach, Sears immediately launched a thorough investigation and engaged leading third-party forensic experts to review its systems. Once the chain was aware of the malicious code, “we quickly removed it, contained the event, and secured the affected part of our network,” Sears said.
According to the forensic investigation, Sears reported that no personal identifying information — including names, addresses, social security numbers, and email addresses — was obtained. However, certain credit card numbers may have been compromised.
“Nevertheless, in light of our EMV compliant point-of-sale systems, which rolled out last year, we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. We are confident that our customers can safely use their credit and debit cards in our retail stores,” according to Sears.
The department store chain and Kmart will continue to work with federal law enforcement authorities, its banking partners, and IT security firms. “We are actively enhancing our defenses in light of this new form of malware. Data security is of critical importance to our company, and we continuously review and improve the safeguards that protect our data in response to changing technology and new threats,” according to the company.
Kmart was the victim of another breach in 2014. Similarly, Kmart’s in-store payment systems were infected with malware, and an unknown number of credit and debit card numbers were stolen. That investigation also suggested that no personal information was affected, according to the Consumerist.
This is another blow for Sears. While the embattled retailer reported its first quarterly profit since 2015, it attributed this gain largely to the sale of its Craftsman brand, and lower expenses due to its $1.25 billion cost-cutting plan.
Overall, Sears posted net income of $244 million in its first fiscal quarter ended April 29, compared with a loss of $471 million in the year-ago period. However, Sears posted a loss of $230 million when adjusted for special items, compared with a loss of $199 million a year earlier.
As for revenues, the company continues to bleed. Revenue fell 20.3% to $4.3 billion in the quarter, down from $5.4 billion last year. The retailer said the year-over-year decline was primarily driven by having fewer Kmart and Sears full-line stores in operation, as well as an 11.9%
drop in same-store sales.