Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kmart Says Its Payment System Was Hacked

Posted by timothy on from the worst-case-scenario dept.

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

3 of 101 comments (clear)

  1. social security? wtf by Spy+Handler · · Score: 4, Insightful

    why would Kmart even have your social security number?

  2. My shopping is becoming limited by Anonymous Coward · · Score: 1, Insightful

    As an IT security guy, I really find all these cracks disheartening. I guess the IT staff at these places don't really understand that security is a process, not a product. You cannot throw up a router with some ACLs and firewall or two and expect to be secure. Neither can you not make constant audits of your backend payment systems and expect security.

    I've already stopped shopping at Target permanently because of their debacle. I stopped shopping at Walmart this week due to their cancelling health benefits for all part time workers despite being able to afford it and then some. Who is next to not pay attention to their security posture?

    1. Re:My shopping is becoming limited by mlts · · Score: 3, Insightful

      Very true. I'm reminded of one vendor that as part of the contract got their own direct connect to company LANs in order to directly service/support their software. I always worried that all it took was some compromise on the vendor's side, and it was a big gaping hole that could be easily nailed. The vendor was pretty much protected (part of the software contract), so if they got hacked, it was pretty much game over.

      I did stick in a firewall though. The vendor had unfettered access to their machines... but no unrelated boxes, and their machines were also sectioned off. However, it was like putting a bandaid on a bullet wound, because of all the things their software touched.

      Point of sale systems are not rocket science. We had better quality of code when game companies made Playstation 1 CDs (as they could not be updated, so what was released was it.) It might just be time to return to that finished quality of code... but still have an update mechanism. An update mechanism that requires not just signed firmware, but someone physically pressing a button (so the software can't be remotely updated.)