Retailer Sears Holdings Corp said the payment data systems at its Kmart stores had been compromised, the latest in a series of computer security breaches to hit U.S. companies in recent months.
The U.S. Secret Service confirmed it was investigating the breach, which occurred in September and compromised the systems of Kmart, which has about 1,200 stores across the United States. The breach did not affect the Sears department store chain.
Sears said it believes hackers made off with some credit and debit card numbers but that the personal information, debit card PIN numbers, email addresses and social security numbers of its customers remained safe.
Security professionals said they were not surprised to learn that yet another major retailer was reporting a breach, adding they believe many big merchants do not have adequate systems for detecting cyberattacks, which means they still remain easy prey for hackers.
“This is going to continue indefinitely until people change their practices,” said Shawn Henry, a former senior cyber cop with the FBI who is now of the president of cyber forensics firm CrowdStrike Services.
He said that hackers are able to get into networks because they are “so broad and vast” that attackers will always find a way in. Retailers need to do a better job of quickly detecting them before they begin to steal data, he said.
Sears said that the attackers used malicious software that was undetectible using anti-virus software.
Tom Kellermann, chief cybersecurity officer with security software maker Trend Micro, said that retailers need to be prepared to deal with malicious software crafted specifically for the purposes of burglarizing retailers.
“It is debatable whether they had sufficient security in place to thwart these thieves. The real question that needs to be asked is why haven’t they learned the lessons from the attacks on Target and others.”
Kmart, which launched an investigation into the hacking, apologized to its customers on Friday and said it was working with federal authorities, banking partners and security firms in the probe.
On Thursday, restaurant chain Dairy Queen, owned by Berkshire Hathaway Inc, confirmed that it may have compromised payment card information of customers across 46 U.S. states.
Other widespread breaches include those of Target Corp, Home Depot Inc, Michaels Stores Inc and Neiman Marcus.
(Reporting by Yashaswini Swamynathan and Natalie Grover In Bangalore; Editing by Maju Samuel and Lisa Shumaker)