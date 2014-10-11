(Adds context on Sears' recent struggles)
By Jim Finkle and Nathan Layne
Oct 10 Sears Holdings Corp said it was
the victim of a cyberattack that likely resulted in the theft of
some customer payment cards at its Kmart stores, the latest in a
series of computer security breaches to hit U.S. companies and
dealing a fresh blow to the struggling U.S. retailer.
The U.S. Secret Service confirmed it was investigating the
breach, which occurred in September and compromised the systems
of Kmart, which has about 1,200 stores across the United States.
The breach did not affect the Sears department store chain.
A Sears spokesman said he could not say how many credit and
debit card numbers had been taken. He added that the personal
information, debit card PIN numbers, email addresses and Social
Security numbers of its customers remained safe.
Security professionals said they were not surprised to learn
that yet another major retailer was reporting a breach, adding
they believe many big merchants do not have adequate systems for
detecting cyberattacks, which means they still remain easy prey
for hackers.
"This is going to continue indefinitely until people change
their practices," said Shawn Henry, a former senior cyber cop
with the FBI who is now of the president of cyber forensics firm
CrowdStrike Services.
He said that hackers are able to get into networks because
they are "so broad and vast" that attackers will always find a
way in. Retailers need to do a better job of quickly detecting
them before they begin to steal data, he said.
Sears said that the attackers used malicious software that
was undetectible using anti-virus software, highlighting the
challenge of keeping up with the evolving techniques of computer
hackers. Company spokesman Chris Brathwaite said Sears had been
upgrading its systems even before the recent spate of incidents
involving retailers, which included a massive breach of the
systems of Target Corp in late 2013.
"Our IT team was able to quickly remove the malware and we
are deploying further advanced software to protect our
customers' information," Brathwaite said.
Security experts say retailers have traditionally not
invested enough in security, partly because of the industry's
relatively thin profit margins.
The breach comes as Sears is struggling to revive itself
under Chief Executive Eddie Lampert, who has been closing stores
and slashing costs to try to return to profitability. Critics
say Lampert has been investing too little in the Sears and Kmart
stores, contributing to nine straight quarterly losses.
Tom Kellermann, chief cybersecurity officer with security
software maker Trend Micro, said that retailers need to be
prepared to deal with malicious software crafted specifically
for the purposes of burglarizing retailers.
"It is debatable whether they had sufficient security in
place to thwart these thieves. The real question that needs to
be asked is why haven't they learned the lessons from the
attacks on Target and others."
Kmart apologized to its customers on Friday and said it was
working with federal authorities, banking partners and security
firms in the probe.
On Thursday, restaurant chain Dairy Queen, owned by
Berkshire Hathaway Inc, confirmed that it may have
compromised payment card information of customers across 46 U.S.
states. Other widespread breaches include those
of Home Depot Inc, Michaels Stores Inc and Neiman Marcus.
(Additional reporting by Yashaswini Swamynathan and Natalie
Grover In Bangalore; Editing by Maju Samuel, Lisa Shumaker and
Ken Wills)