A September breach at Sears Holdings has likely resulted in customer payment card information being exposed or stolen at the company's Kmart stores, Sears has revealed in a filing to the SEC.
The retailer was made aware of the breach on October 9 by its IT team and has hired a security firm to investigate the September incident. The filing noted that the security pros said “Kmart store data systems were infected with a form of malware that was undetectable by current anti-virus systems.”
The company went on to say that Kmart, which has 1,200 stores in the U.S., removed the malware but still “believes certain debit and credit card numbers have been compromised.” But it offered assurances that PINs, Social Security numbers, email addresses and other personal information had not been exposed.
The breach is also under investigation by the U.S. Secret Service. Kmart will offer a year's free credit monitoring service to those potentially affected by the breach—customers who shopped at Kmart between Sept. 1 and Oct. 9.
The Kmart breach comes on the heels of last week's confirmation of a breach at Dairy Queen, which resulted in systems at 395 of its more than 4,500 U.S. stores and one Orange Julius location being infected with the same Backoff malware that has plagued other retailers nationwide and the payment information of customers exposed.
“The reality is that, as long as organizations continue to look at IT security with an individual security solution silo view, data breaches like Kmart and Dairy Queen will continue to occur,” Eric Ouellet, Vice President of Strategy, Bay Dynamics, said in commentary sent by email to SCMagazine.com. “In fact, when you look at large organizations like Kmart, Dairy Queen, Home Depot and Target, the breaches did not occur due to a lack of security tools investment, or certification or lack of a disciplined security program approach.”
Instead, Ouellet explained, “the cookie crumbs left behind” point to three factors—security solutions generate large volumes of data that overwhelm security teams; the solutions operate independently with “no stitching of information between systems” and any stitching that does go on “between haystacks of data is typically a manual process” supported by SIEM or case management tools. As a result, security teams find themselves on the search for important needles in multiple haystacks using tools ill-suited for melding the information.
Jeff Shanahan, CEO of CardConnect, contended that businesses can't get a grip on raw credit card data and are essentially safeguarding “sensitive information with what hackers see as an unlocked fence.” But, he said in comments emailed to SCMagazine.com, that it's time for them to “upgrade to malware-resistant point-of-sales terminals that encrypt and tokenize all credit card data” starting from when customers first swipe their cards. “The key is for a business to remove all real touch points with actual card numbers,” which he said will protect customers “in the event of an attack.”