Kmart experienced a point of sale data breach that has affected an undisclosed number of stores and customers, its second breach in three years.
The breach only affected credit cards and all Kmart stores were EMV “Chip and Pin” technology-enabled at the time of the breach, leading officials to believe the exposure to cardholder data that can be used to create counterfeit cards is limited, according to a June 1 press release.
“Our Kmart store payment data systems were infected with a form of malicious code that was undetectable by current anti-virus systems and application controls,” the release said. “Once aware of the new malicious code, we quickly removed it and contained the event.”
The breach will most likely impact customers who weren’t using chip enabled cards and an investigation has been launched into the incident.
The timeline of the incident wasn’t disclosed in the release however, Independent researcher Brian Krebs last week began hearing reports from smaller banks and credit Unions suspecting another card breach at Kmart, some of which had received alerts from the credit card companies about batches of stolen cards that had all been previously used at Kmart locations.
Krebs reported at least two financial industry sources said the breach does not appear to have affected all Kmart stores.Sears, Kmart’s parent company announced a similar breach in October 2014.
“KMart has stated that they do not believe this incident has any relation to previous breaches in the past, and they are confident that they were successful in eradicating any residual traces of malware or persistence left behind by earlier attacks,” Absolute Global Security Strategist Richard Henderson, told SC Media. “This is good news for customers: it appears that this incident was detected relatively promptly.”
However, its bad news that Kmart said in the statement that the malware used was previously unseen and undetectable by their antivirus solutions which could mean dealing with an entirely new family of malware or new methods of infecting POS terminals, he added.
If this is a new malware family, Henderson said it’s critical for KMart to get information about the attack to other retailers, antivirus companies, and network security appliance vendors so that everyone can both look for indicators of compromise inside their own networks and bolster defenses against this new threat.
If the attackers exploited a new method to insert their malware Henderson said a hole was found in KMart’s AV solution on their POS systems, reminding us all that we cannot rely on any one single solution to protect payment systems.
“I think the single most important piece of information that we know so far is that this could have been much, much worse,” he added. “If KMart did not have EMV-enabled terminals in their stores, forcing customers with chip cards to swipe their stripe, then the impact may have been substantially larger.”
Some professionals see the incident as an instance to promote better security practices and as a reminder that no IT systems can stay safe if they hold something valuable.
“More than ten years ago, T.J. Maxx suffered a very similar data breach when approx. 100 million card data was stolen,” Balabit Product Evangelist Csaba Krasznay told SC Media. “That incident helped the drive for credit card companies to introduce PCI DSS as a mandatory security standard for everyone who manages card data.”
Krasznay added that if Kmart was really able to avoid large scale data leakage, then we can be sure that PCI DSS is mature and useful enough in these circumstances, at this point.”
“This once again shows that the current, status quo, efforts in defensive security aren’t working and that companies need to start being proactive, not reactive and apply continuous testing to critical applications,” Cybric Chief Technology Officer (CTO) and former Yahoo Chief Information Officer (CIO) Mike Kail told SC Media.