Sears Holdings Corp. is the latest retail company to experience a data breach.
According to a letter to its Kmart customers, which was posted Wednesday on the discounter’s web site, Gareth Glynne, senior vice president for retail operations for Sears and Kmart said “Kmart store payment data systems were infected with a form of malicious code (similar to a computer virus) that was undetectable by current antivirus systems.” Glynee said once the company was aware of the code, it was quickly removed and the “event” contained. “We are confident that our customers can safely use their credit and debt cards in our retail stores,” he said. Sears and Kmart Holding Corp. merged in 2005.
Glynee also said that based on forensic investigation — the company engaged IT security experts to review its systems once it learned of the incident — that “no personal, identifying information — including names, addresses, social security numbers, birth dates and e-mail addresses — was obtained” by those who breached the system.
He didn’t say when the breach occurred, although he noted that while certain credit card numbers were compromised, Kmart stores were using EMV “chip and pin” technology when the breach occurred, and the exposure to cardholder data that could be used to create counterfeit cards is limited. He also emphasized that there is “no evidence that kmart.com or Sears customers were impacted nor that debit PIN numbers were compromised.”
As technology has become more sophisticated, there’s also been a growth in both the variety of different attempts and the number of incidents by perpetrators targeting different sites. In mid-May, electronic signature provider DocuSign was the target of malware phishing attacks. Brooks Brothers disclosed a few days earlier that malicious software had been installed on some payment processing systems between April 4, 2016 and March 1, 2017 that affected certain store locations. And Google’s e-mail platform Gmail, disclosed in early May, was the target of a phishing scam attempting to access accounts through a third-party app. In March, some of Saks Fifth Avenue’s customer information was viewable through a link at the retailer’s web site, and although the breach didn’t involve payment details, it did expose email addresses, IP addresses and phone numbers from a product waitlist database. Hudson’s Bay Co. is the owner of Saks. Last year, the largest data is believed to be the one against Yahoo, which involved over 1 billion accounts.
According to Identity Theft Resource Center, the number of reported data breaches last year were said to have risen by 40 percent from 2015. And phishing attacks — those that hope to trick someone to open an e-mailed link, mostly likely an employee to gain access to a corporate network — comprised 56 percent of all breaches last year.
Just last month, Target agreed to pay $18.5 million to settle claims in multistates and the District of Columbia that arose from the discounter’s massive data breach in 2013. That incident is considered one of the largest breaches to hit a U.S. retailer, as data from up to 40 million consumer credit and debit cards were affected. Last month Target pegged the total cost of the breach to be $202 million. The $202 million includes three previous settlements in 2015: $39 million settlement in December with several U.S. banks that service MasterCard; $67 million settlement with Visa that August, and a $10 million settlement in March with customers who filed a class-action lawsuit in federal court.
In the Kmart disclosure Wednesday, Glynne reminded customers to carefully review and monitor their monthly debit and credit card statements. He also said Kmart is “continuing to work closely with federal law enforcement authorities, our banking partners, and IT security firms in an ongoing investigation. We are actively enhancing our defenses in light of this new form of malware.”
A spokesman for Sears said the incident occurred in “some, not all of our stores.” He added that because of an ongoing investigation, he could not provide further information, such as how many Kmart stores were affected by the breach.
More From WWD: