Danny Yadron of the Wall Street Journal just tweeted that Kmart has disclosed a data breach in its SEC filing. Indeed, they have:
On October 9, Kmart’s Information Technology team detected Kmart’s payment data systems had been breached and immediately launched a full investigation working with a leading IT security firm.
The investigation to date indicates the breach started in early September. According to the security experts Kmart has been working with, the Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems. Kmart was able to quickly remove the malware. However, Kmart believes certain debit and credit card numbers have been compromised.
Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible. There is also no evidence that kmart.com customers were impacted.
Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, banking partners and IT security firms in this ongoing investigation. Kmart is deploying further advanced software to protect customers’ information.
Unlike JP Morgan which disclosed their breach on their site in a coordinated way with their SEC filing, Kmart does not appear to have posted anything on their web site yet.
UPDATE: Thanks to commenter Charlie, who points us to Kmart’s newly added statement on their site.
Kmart statement on their website > http://www.kmart.com/en_us/dap/statement1010140.html?adcell=hpnewsrelease
Thanks so much! Updated the post to link to their statement.