Kmart Security Breach: What Should Sears and You Be Doing Differently?

For the second time in less than three years,Sears Holdings' Kmart Stores are victim of a security breach. While the company has not commented on how many of its 735 stores were involved, it has declared there was an "incident involving unauthorized credit card activity following certain customer purchases at some of our Kmart stores."

Kmart store payment data systems were infected with a form of malicious code (similar to a computer virus) that was undetectable by current anti-virus systems. The company has removed it and contained the event. 

Sears Holdings' said it has launched an investigation and engaged leading IT security experts to review its systems and secure the affected part of its network. In 2014, Kmart store payment data systems were also infected with malware that was undetectable by its anti-virus systems. At the time company admitted the breech, it said it had "deployed advanced software to protect our customers' information."

"Based on the forensic investigation, no personal identifying information – including names, addresses, social security numbers, birth dates and email addresses – was obtained by those criminally responsible," the company said in a statement. "However, we believe certain credit card numbers have been compromised. All Kmart stores were EMV 'Chip and Pin' technology enabled during the time that the breach occurred, and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited. There is no evidence that or Sears customers were impacted nor that debit PIN numbers were compromised."

While Kmart stores did have EMV-capable credit card terminals, not all banks have provided customers with chip-enabled cards just yet.

"Merchants should remember that being compliant may not be (and is usually not) the same thing as being secure," notes John Christly, Global CISO, Netsurion, a provider of managed security services for multi-location businesses, and EventTracker, a SIEM company. "It’s one thing to do basically the bare minimum to meet compliance mandates, but it’s completely another thing to do IT security properly. Properly locked down systems take a willingness to bring in experts that have ‘been there, done that’ and know how to lock payment terminals down to where they can only operate as payment terminals and not as general use computers. While there are many tools available to help with many required tasks, the basic concept of proper security starts with an understanding that doing it right takes time, patience, and yes, at times, it will take money.”

“The security of payment card data is still proving to be difficult for some online and bricks-and-mortar retailers," says Robert Capps, authorization strategist, and Vice President of NuData Security. "Consumers should monitor the transactions on any account linked to credit or debit cards they have used in a Kmart store, and report any fraudulent transactions to their bank as soon as they are identified. Given the brisk migration to a chip-and-pin system, we are unlikely to see the stolen credentials used for in-person payments, but they can be used for online transactions. As we mentioned after the previous Kmart breach data may not be used right away, but down the road, it can be matched with data from other breaches to build a more complete user profile. Criminals could then use this information or sell it on the dark web for use in more targeted, large-scale spear-phishing or identity theft attacks. Adding the layer of behavioral and passive biometrics will make this data much less useful. This breach is a perfect example of why the data being stolen needs to be devalued– if it can’t be used, it won’t be stolen in the first place.”

"The latest string of breaches reiterates that multi-location retail security requires a new approach, beyond the minimums of maintaining PCI compliance and implementing a managed firewall," says Christly.

For a comprehensive toolbelt to stop cybercriminals before they do real damage, Christly suggests retailers should consider implementing the following technologies:

  • File integrity monitoring (to tell you when files have changed that weren’t supposed to change)
  • Unified threat management appliances (used to integrate security features such as firewall, gateway antivirus, and intrusion detection)
  • Security information and event management (used to centrally collect, store, and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues)
    • Note, the SIEM platform should ideally have a dormant malware hunting capability to detect known and unknown malware that are yet to execute
  • Managed detection and response (brings advanced threat detection and response specifically to the POS systems to reduce malware detection gap and incident response times)
  • Next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems)