Cyber Incident Victim: Kmart
Date:
May 2017
Location:
United States of America
Summary
Kmart experienced a malware-based breach of its store payment systems, marking the second such incident within three years. The malicious code, undetectable by existing security measures, compromised credit card numbers but did not access personal identifying information. The retailer removed the malware upon detection and emphasized that its EMV-compliant terminals limited counterfeit card risks, primarily affecting customers using non-chip cards. The breach impacted an unspecified subset of physical stores, with no evidence of online customer exposure. Sears Holdings collaborated with law enforcement and cybersecurity experts to investigate and enhance defenses, noting that the attack's criminal nature prevented disclosure of its duration or full scope. Financial institutions observed localized fraud patterns linked to the breach, contrasting with broader alerts that would have indicated nationwide compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late May 2017, Sears Holdings disclosed a malware-driven security breach affecting credit card processing systems at an unspecified number of Kmart retail stores. The incident marked the second such breach at Kmart in less than three years, following a similar October 2014 compromise. Financial institutions first detected suspicious activity when credit card companies alerted them to batches of compromised cards traced exclusively to Kmart purchases. Sears confirmed unauthorized credit card activity following customer transactions at affected stores, initiating an investigation with third-party forensic experts. The company identified malicious code within Kmart's payment data systems that evaded detection by existing anti-virus software and application controls. Upon discovery, Sears removed the malware and contained the intrusion, though it declined to specify how many of Kmart's 735 U.S. stores were impacted or the breach's duration, citing an ongoing investigation.
The malware targeted point-of-sale (POS) systems to capture magnetic stripe data from payment cards, enabling criminals to clone cards for counterfeit fraud. Sears emphasized that no personally identifiable information—including names, addresses, social security numbers, or email addresses—was exfiltrated, and online customers using kmart.com remained unaffected. The company noted that its nationwide rollout of EMV-compliant chip card terminals in 2016 likely limited exposure, as chip technology reduces counterfeit card viability. Impacted customers primarily used non-chip-enabled cards, as financial industry sources indicated the breach did not affect all Kmart locations, evidenced by narrower fraud alerts than expected for a chain-wide compromise. Sears collaborated with federal law enforcement, banking partners, and security firms while enhancing defensive measures against evolving malware threats. The breach underscored persistent vulnerabilities in magnetic stripe transactions despite industry progress toward chip adoption, with Visa reporting 421 million U.S. chip cards (58% of its portfolio) and a 58% year-over-year decrease in counterfeit fraud at chip-enabled merchants by December 2016.