Slashdot Mirror
Kmart Says Its Payment System Was Hacked
wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.
why would Kmart even have your social security number?
...nobody.
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Come and get it hackers !!
to list who hasn't been hacked yet. I wonder if these big companies buy their security systems at K-Mart.
in the dozens of dollars.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Brian Krebs covered it too: http://krebsonsecurity.com/2014/10/malware-based-credit-card-breach-at-kmart/
News came out earlier today dairy queens in Colorado area were hacked.
if your company hasn't been hacked...well, that sucks for you.
Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?
Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.
As an IT security guy, I really find all these cracks disheartening. I guess the IT staff at these places don't really understand that security is a process, not a product. You cannot throw up a router with some ACLs and firewall or two and expect to be secure. Neither can you not make constant audits of your backend payment systems and expect security.
I've already stopped shopping at Target permanently because of their debacle. I stopped shopping at Walmart this week due to their cancelling health benefits for all part time workers despite being able to afford it and then some. Who is next to not pay attention to their security posture?
Who even knew that was still a thing?
I think the last time I saw an actual K-Mart store was in the early 1990s, and they were on the way out even back then.
It's too bad someone hasn't come up with a way to make credit cards that cannot be compromised in this manner.
Happiness in intelligent people is the rarest thing I know.
Ernest Hemingway
Beyond transactions, I wonder whether retailers should even be storing credit card information? Surely debating this problem to the credit card companies would be better? The only thing combines should be keep is maybe some sort of public key value for the credit card, which can only be unlocked with a user provide value. The private key would be in the hands of the credit card company to access your account.
I am thinking on the fly here, but the main gist is the less credit card details stored by non-credit card companies the better. These retailers could secure their systems better, but maybe they shouldn't be holding on to certain critical information either? We need to review what financial data is held in light of these issues.
In Europe you have a one time key for your online payments, that requires a special calculator looking device. Probably not the best solution, but not a terrible one either - it's just inconvenient and not necessarily clear to the non-tech savie.
Jumpstart the tartan drive.
maybe they were going for the medical records, I heard that's big business these days.
Force everybody back to good old paper and ink. These damn contraptions are not ready for the market yet.
That's why I use cash
Seek help penis envy is a serious condition son.
That's 10 more people who have had their personal information compromised.
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
"joining a fast growing club dealing successful hack attacks"??
Kmart was dealing the attacks? Wow, does no one proofread anymore?
It is just NSA on the trail of Michelle Obama, aka Mr. Michael Jerome Green before the sex change operation.
Keep a sub-$1 balance in your bank account. :P
I do not fail; I succeed at finding out what does not work.
Last I knew - K-Mart's parent corporation Sears, rolled all their "Sears" cards over to Citibank. When I started getting suprize charges from "Sears Home Health" and called the number on the back of the "Sears" card to complain/dispute the charges - they told me "This is Citibank - if you have a dispute - dispute it with the company who charged it". I was like "this is a Sears card - I got a charge from Sears - I am calling Sears". Turns out - sometime magically three different companies - none of whom wanted to easily reverse any charges.
Long story short - I am sure that K-Mart merely decided to adopted a new business practice selling customers' social security numbers to Nigerian scammers or something. It would be pretty par-for-the-course for them.
The real news is that K-Mart is still around.
they run Microsoft and are retailers that are not allowed to sell in India, but has off-shored to there.
Russia and China can buy off somebody for less than $100K to release a bug within the network.
Later, the Russia/Chinese then leave a trail indicating other means, even though it is not likely, and would require millions for the Russian/Chinese to do.
I wonder if they have been hacked for months wether their systems and forensics are reliable enough to say for sure any personal data is not at risk. I doubt a lot they have systems in places to be able to say that with a 100% security margin. As for the current hacked systems being hacked or/with malware, anyone with common sense should not use Windows to drive critical systems.
Banks/companies will reimburse you for the lost money. Where your concern should be, is for your FULL Identification.
Do NOT go with any of the 1 year BS life-lock policies that these companies offer you. Lifelock and others will continue to sell your information to companies like Target, Sears, Walmart, etc who then target you with spam, along with the crackers that go your info. These companies will off-shore that information where it will be used to target your with spam, and make it easy to grab it again, by a new and different set of crackers.
Instead, go to all 4 credit bureaus and put a LOCK on your ID. If anybody or ANY COMPANY attempts to access your information, they are blocked. Simple as that. If you need to get a loan, CC, etc, then and only then, unlock it temporarily and only for that company.
Am I the only onw who thinks "Hack Attack" would be an awesome band name !?
Why don't people get their act together? It's rather depressing
I almost mentioned the name of my company as the one that hasn't been hacked. We take security very seriously. No Microsoft products are allowed on the premises, employees are armed, etc.
Then I realized posting that could make us a Target.
That's pretty much what I was thinking. I thought they had all closed a few years ago.
Serious? Seriousness is well above my pay grade.
Who the fuck shops at Kmart anyways? LOL
Apparently nobody with enough money or credit to posses a credit card.
I suppose a customer list might be interesting to a collection agency, or a bounty hunter going after bail jumpers, but it's certainly not where you'd go looking if you're interested in stealing identities or credit information.
They need to be held responsible for this with hefty fines, investigations, and boycotting!!!
Oh wait, it's not Wal-Mart? Nevermind, carry on.
While visiting, Nantucket Parcel Plus, I heard a guy say their POS has a virus, and was fixing.
n/t
Hacking K-Mart is like ... wow, what have you achieved? How would you ever live it down? Big leet haxor hakked K-Mart! Is this data valuable at all? Used to be that I felt sorry for shoplifters caught stealing from ... K-Mart. Can you imagine being in prison and trying to live that down?
I'd be worried, if I shopped at Kmart in the last 5 years.
Dr. Bruner: Well, Raymond? Aren't you more comfortable in your favorite K-Mart clothes? Charlie: Tell him, Ray. Raymond: K-Mart sucks. Dr. Bruner: Oh, I see. Charlie: Hey, Ray: you just made a joke. Raymond: Yeah, a joke. Ha ha ha... ha.
I vote that we force these corporations to take data security and IT in general more seriously. First, cut off their online credit card processing. They can use the old mechanical card swipers for a while. Once they have seriously upgraded their systems, and been independently audited, they can go back online. Require them to submit to thorough systems audits and spot checks for 5 years or so. Perhaps corporate management will get the message that IT may not be a profit center but it is necessary to continued operations.
KMart is well known for having barely any IT infrastructure, and what they DO have doesn't work well. They are literally one step removed from only hand-crack adding machines.
How DO you hack that?
Yes this is a serious question. One of the key differences between Walmart and KMart was how each company approached IT back in the 80s when this stuff became affordable and powerful. Walmart embraced data and wrapped their whole process around it and still uses it quasi-magical ways to glean trends, predict sales, do reorders, and find efficiencies. They extract value from data just like they squeeze their suppliers.
KMart, on the other hand, looked at computers and laughed and went on laughing for years, not noticing as Walmart out flanked them and eventually drove them into the ground head first. KMart is barely alive now, because they spent decades not having any idea what was even in the stores or what was selling. They didn't know, didn't care, had no way to handle the data even if they had it, and generally treated IT like nothing more than office internet connections to surf Yahoo.
Baseline Magazine, I believe it was, did a stellar piece on Walmart vs. Kmart and how each handled IT as of about 10 years ago. KMart is not painted on a good light. It's actually amazing an organization as incompetent as KMart is even still in business. .They have never gotten it and still don't.
Walmart had them beat years before it happened, because Walmart knew all the data. They won the war in the server room. KMart never had a chance and didn't even fight back.
Sig for hire.
I worked at K-Mart in the 1980s. We were still using the carbon paper charge slips and the manual imprint machine when everyone else had moved to electronic CC transactions. We were still looking up every CC transaction in that paper directory that came out every two weeks with stolen credit card numbers in it. If the purchase was >$50, we had to call in and get an approval. I worked in electronics so I had to call in almost every sale, it was a huge PITA. K-Mart was very short-sighted in the 80s and it cost them everything.
K-Mart knew their system was breached 1 month ago, and only now made it public. Don't shop there never will.
...is for credit card companies to issue new numbers to all cards twice a year. Or even issue new three-digit security codes every month or few weeks. Delivery, of course, is the issue, and paper notifications would probably be required until some sort of indirect electronic transmission means - like a PayPal for info -- is developed.