Cyber Incident Victim: Kmart

In September 2015, Kmart Australia disclosed a security breach affecting its online customers. The incident involved unauthorized external access to customer accounts, compromising personal information including names, email addresses, delivery and billing addresses, telephone numbers, and product purchase details. Kmart confirmed no credit card data was stolen during the intrusion. The breach was detected by the company, which took immediate action to prevent further data access upon discovery. Kmart notified affected customers via email on September 30, 2015, describing the event as an "external privacy breach" and assuring them that forensic investigators were conducting a thorough review. The company emphasized the breach only impacted a subset of online shoppers and stated all compromised accounts had received direct communication.

Kmart Australia engaged leading IT forensic experts to investigate the breach and reported the incident to both the Office of the Australian Information Commissioner and the Australian Federal Police. The retailer clarified that its Australian operations, wholly owned by Wesfarmers, were organizationally separate from the unrelated US-based Kmart chain owned by Sears Holdings Corporation, though both used the Kmart name under a long-term licensing agreement. Kmart Australia explicitly stated there was no evidence linking this breach to a separate 2014 intrusion affecting the US operations, which had involved credit and debit card theft. The company maintained that customers not contacted directly were unaffected and reiterated its commitment to protecting personal information throughout its public communications regarding the incident.