Australian retailer Kmart confirms hackers stole customer data

Wesfarmers-owned retailer Kmart has confirmed that hackers breached its online ordering system and stole customers’ personal information.

On Wednesday or possibly before, hackers breached Kmart’s online ordering system and accessed customers’ name, email address, delivery and billing address, telephone number and what they’d purchased.

The company said credit card and other payment details were not compromised or accessed and that the breach only affected customers who had used its website to purchase products.

“No online customer credit card or other payment details have been compromised or accessed… This breach only impacts a selection of customers who have shopped online with Kmart Australia,” Kmart said in a statement.

Kmart told affected customers about the breach in an email ahead of a media report and its subsequent disclosure to followers of its Facebook and Twitter accounts.

“If customers have not received a message from Kmart Australia regarding this situation they have not been impacted,” it said.

Details released by Kmart indicate that the company has not detected a breach of its point of sale or other systems at 192 physical stores across Australia and New Zealand. Wesfarmers also owns Australia’s second largest food retailer, Coles; Kmart rival, Target; home improvement retail giant Bunnings; and office supplies retailer Officeworks.

The company said it had hired a local IT forensic investigator and notified privacy watchdog, the Office of the Australian Information Commissioner, and the Australian Federal Police.

The mass storage of credit card details on networked computers have made retailers an attractive target to hackers. Malware attacks on point of sale (PoS) and other payment systems at least a dozen well-known US retailers in the past two years has forced the industry into a major rethink of security. The breach at US retailer Target in 2013 exposed 40 million credit card numbers and tens of millions more customers' personal details.

A number of questions about the Kmart breach remain unanswered, including the number of customers affected. CSO Australia has contacted Kmart for further information and will update the story if it receives a response.

Kmart customers should also not be comforted by the knowledge that the only details exposed to hackers was personal information.

“So the personal attributes that are difficult to replace and are used for identity theft have been compromised whilst the asset the banks will replace for you and cover your losses on are the ones that deserved to be underlined,” Australian security expert Troy Hunt told CSO Australia.

As Hunt outlined recently, consumers have fairly solid protection when it comes to credit card fraud. Merchants also, for compliance reasons, do a lot to protect credit card details, however there is little incentive to protect the identity of users. Leaked details of 30 million users of the adultery website Ashley Maddison highlighted that the risk of exposed credit card details can take a back seat to an exposed identity.

The response from Kmart also highlights consumer protection shortcomings in the security standard PCI-DSS (Payment Card Industry Data Security Standard). PCI DSS, which is driven by credit card firms Visa and Mastercard and enforced by local banks, encourages retailers to ensure payment data is adequately secured with encryption. Non-compliance can result in fines for merchants, but it provides little incentive to protect customers' personal information.

“[Kmart] may have encrypted the card data and have sufficient confidence the private key wasn’t compromised or possibly even just retained the last four digits of the cards. This will keep the banks happy, but consumers should be concerned about the disclosure of their personal details,” said Hunt.

The other question that Kmart has not answered is whether its online customers’ passwords were compromised, which could be a problem if any customers have re-used their passwords across multiple websites.

“Kmart have not made it clear if any passwords were stolen in the breach,” said Sieng Chye Oh, malware researcher at digital protection company, ESET.

“If passwords were stolen, cybercriminals will likely use the credentials to target other sites such as social networks, email accounts, and others. To stay safe, any customers that shop online with Kmart should change their password for this site and all others, especially those who use a single password for multiple online accounts.”