Australian retailer Kmart confirms hackers stole customer data

Wesfarmers-owned retailer Kmart has confirmed that hackers breached its online ordering system and stole customers’ personal information.

On Wednesday or possibly before, hackers breached Kmart’s online ordering system and accessed customers’ name, email address, delivery and billing address, telephone number and what they’d purchased.

The company said credit card and other payment details were not compromised or accessed and that the breach only affected customers who had used its website to purchase products.

“No online customer credit card or other payment details have been compromised or accessed… This breach only impacts a selection of customers who have shopped online with Kmart Australia,” Kmart said in a statement.

Kmart told affected customers about the breach in an email ahead of a media report and its subsequent disclosure to followers of its Facebook and Twitter accounts.

“If customers have not received a message from Kmart Australia regarding this situation they have not been impacted,” it said.

Details released by Kmart indicate that the company has not detected a breach of its point of sale or other systems at 192 physical stores across Australia and New Zealand. Wesfarmers also owns Australia’s second largest food retailer, Coles; Kmart rival, Target; home improvement retail giant Bunnings; and office supplies retailer Officeworks.

The company said it had hired a local IT forensic investigator and notified privacy watchdog, the Office of the Australian Information Commissioner, and the Australian Federal Police.

The mass storage of credit card details on networked computers have made retailers an attractive target to hackers. Malware attacks on point of sale (PoS) and other payment systems at least a dozen well-known US retailers in the past two years has forced the industry into a major rethink of security. The breach at US retailer Target in 2013 exposed 40 million credit card numbers and tens of millions more customers' personal details.

A number of questions about the Kmart breach remain unanswered, including the number of customers affected. CSO Australia has contacted Kmart for further information and will update the story if it receives a response.

Kmart customers should also not be comforted by the knowledge that the only details exposed to hackers was personal information.

“So the personal attributes that are difficult to replace and are used for identity theft have been compromised whilst the asset the banks will replace for you and cover your losses on are the ones that deserved to be underlined,” Australian security expert Troy Hunt told CSO Australia.

As Hunt outlined recently, consumers have fairly solid protection when it comes to credit card fraud. Merchants also, for compliance reasons, do a lot to protect credit card details, however there is little incentive to protect the identity of users. Leaked details of 30 million users of the adultery website Ashley Maddison highlighted that the risk of exposed credit card details can take a back seat to an exposed identity.

The response from Kmart also highlights consumer protection shortcomings in the security standard PCI-DSS (Payment Card Industry Data Security Standard). PCI DSS, which is driven by credit card firms Visa and Mastercard and enforced by local banks, encourages retailers to ensure payment data is adequately secured with encryption. Non-compliance can result in fines for merchants, but it provides little incentive to protect customers' personal information.

“[Kmart] may have encrypted the card data and have sufficient confidence the private key wasn’t compromised or possibly even just retained the last four digits of the cards. This will keep the banks happy, but consumers should be concerned about the disclosure of their personal details,” said Hunt.

The other question that Kmart has not answered is whether its online customers’ passwords were compromised, which could be a problem if any customers have re-used their passwords across multiple websites.

“Kmart have not made it clear if any passwords were stolen in the breach,” said Sieng Chye Oh, malware researcher at digital protection company, ESET.

“If passwords were stolen, cybercriminals will likely use the credentials to target other sites such as social networks, email accounts, and others. To stay safe, any customers that shop online with Kmart should change their password for this site and all others, especially those who use a single password for multiple online accounts.”

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerskmartAshley Maddisontwittercustomer dataPCI DSShackers breachedFacebook

More about Australian Federal PoliceCSOFacebookFederal PoliceKmart AustraliaMastercardOfficeworksTwitterVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place