Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kmart Says Its Payment System Was Hacked

Posted by timothy on from the worst-case-scenario dept.

wiredmikey writes Kmart is the latest large U.S. retailer to experience a breach of its payment systems, joining a fast growing club dealing successful hack attacks. The company said that on Thursday, Oct. 9, its IT team detected that its payment data systems had been breached, and that debit and credit card numbers appear to have been compromised. A company spokesperson told SecurityWeek that they are not able to provide a figure on the number of customers impacted. The spokesperson said that based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by the attackers.

2 of 101 comments (clear)

  1. Does K-Mart use the same stuff as Sears? by mlts · · Score: 4, Interesting

    Sears, last time I checked was a definite IBM AIX shop with the point of sale terminals being a tad more than IBM 3151 VTs, except with a credit scanner and cash drawer. Is K-Mart on a different system, or do both Sears and K-Mart use the same POS these days?

    Malware on Windows is one thing... nailing AIX systems actually would be an accomplishment.

    1. Re:Does K-Mart use the same stuff as Sears? by execthis · · Score: 3, Interesting

      Based on what the article says about what happened - that it was actual POS malware - I still am not able to figure out a methodology that would enable such an attack to work.

      Let's say someone manages to put malware on a POS device. Ok. But now how would that malware be able to communicate any information to the thieves? I cannot imagine that the POS device is just sitting on the 'net without a strict firewall in front of it allowing it access to one - and only one - address: that of the company that provides the line/aggregates the data which feeds ultimately to the merchant account provider who handles the transactions for the company.

      If the POS malware tries to "phone home" with data, it should never ever be able to connect.

      So the issue to me becomes more than whether a POS device actually got malware on it - what kind of setup could exist such that the device would ever have the opportunity to connect with any other host than the predesignated one it is allowed to???