Luckily, only three people in the whole country shop at Kmart. They are pissed.
Malware Based Credit Card Breach at Kmart
Sears Holding Co. late Friday said it recently discovered that point-of-sale registers at its Kmart stores were compromised by malicious software that stole customer credit and debit card information. The company says it has removed the malware from store registers and contained the breach, but that the investigation is ongoing.
“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September.”
According to those investigators, Brathwaite said, “our systems were infected with a form of malware that was currently undetectable by anti-malware systems. Our IT teams quickly removed that malware, however we do believe that debit and credit card numbers have been compromised.”
Brathwaite stressed that the data stolen included only “track 2″ data from customer credit and debit cards, and did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information.
However, he acknowledged that the information stolen would allow thieves to create counterfeit copies of the stolen cards. So far, he said, Sears has no indication that the cards are yet being fraudulently used.
Sears said it has no indication that any Sears, Roebuck customers were impacted, and that the malware infected the payment data systems at Kmart stores only.
More on this developing story as updates become available. For now, see this notice on Kmart’s home page.
Dairy Queen Confirms Breach at 395 Stores
Nationwide fast-food chain Dairy Queen on Thursday confirmed that malware installed on cash registers at some 395 stores resulted in the theft of customer credit and debit card information. The acknowledgement comes nearly six weeks after this publication first broke the news that multiple banks were reporting indications of a card breach at Dairy Queen locations across the country.
In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.
Curiously, Dairy Queen said that it learned about the incident in late August from law enforcement officials. However, when I first reached out to Dairy Queen on Aug. 22 about reports from banking sources that the company was likely the victim of a breach, the company said it had no indication of a card breach at any of its 4,500+ locations. Asked about the apparent discrepancy, Dairy Queen spokesman Dean Peters said that by the time I called the company and inquired about the breach, Dairy Queen’s legal team had indeed already been notified by law enforcement.
“When I told you we had no knowledge, I was being truthful,” Peters said. “However, I didn’t know at that time that someone [from law enforcement] had already contacted Dairy Queen.”
In answer to inquiries from this publication, Dairy Queen said its investigation revealed that the same third-party point-of-sale vendor was used at all of the breached locations, although it declined to name the affected vendor. However, multiple sources contacted by this reporter said the point-of-sale vendor in question was Panasonic Retail Information Systems.
In response to questions from KrebsOnSecurity, Panasonic issued the following non-denial statement:
“Panasonic is proud that we can count Dairy Queen as a point-of-sale hardware customer. We have seen the media reports this morning about the data breaches in a number of Dairy Queen outlets. To the best of our knowledge, these types of malware breaches are generally associated with network security vulnerabilities and are not related to the point-of-sale hardware we provide. Panasonic stands ready to provide whatever assistance we can to our customers in resolving the issue.”
The Backoff malware that was found on compromised Dairy Queen point-of-sale terminals is typically installed after attackers compromise remote access tools that allow users to connect to the systems over the Internet. All too often, the user accounts for these remote access tools are protected by weak or easy-to-guess username and password pairs. Continue reading →
Use cash!
Using a credit card to buy a fucking ice cream cone??? Fuckin nuts.
There’s a convenience store half a mile from the house. I see adults pulling out their card for a $2 coffee. Kids using their cards for a candy bar. That’s pure insanity as far as I’m concerned.
I was looking for the Onion..
Went to the dairy store yesterday. Guy in front of me bought 2 items and swiped a card. I bought 12 items and wrote a check.
Kid cashier to co-worker: “Hey Bo, how do you do a check?!?”
lol
Know what you call a milk man who wears high heels? A Dairy Queen!
As a computer scientist I’ll tell you how it’s done: Are these ‘hackers’ that smart. The answer is NO. Usually someone who works for the software company divluges the info. The ‘virus’ program monitors known memory addresses where the card info is stored – when the card is swiped (via an interrupt). It then copies the data, into a table in memory. Then at some off hour, it will trasnmitt the data to the hackers server.
Alway use a credit card. Don’t ever use a debit card, other than at you banks ATM.
Using a CC at Dairy Queen – that’s fucked up.
Even dumber when they pull out a debit card for a $2.00 ice cream cone.
There’s nothing like providing a direct access into your checking account.
@Maddies Mom: Who the hell writes checks at stores any more?? Are you the PITA person I have to stand behind while you write the check, and then do the subtraction? You gotta be from North Dakota. I don’t know of any merchants who take checks anymore.
@ Dutchman,
I do!!!
I write them all the time at the dairy store, the grocery store, and my hair stylist is more than happy to take a check. If someone is behind me in line, I tell them I’ll be writing a check so they have the option of moving to another line. Subtraction? Nah…Carbon checks! 😉
I used a debit card for several years, but no more.
I also don’t carry a balance on my ONE credit card and I don’t do business with banksters.
You won’t find me on FB and I watch almost no teevee (although I have become a bit addicted to Dr. Pol.)
Happy to be a former member of the herd.
Dairy Queen has that many stores? Their ice cream sucks almost as much as bb’s comments.
” I see adults pulling out their card for a $2 coffee. Kids using their cards for a candy bar. That’s pure insanity as far as I’m concerned.”
Not if you are an oligarch and are eager to see a cashless society.