Late Friday Sears Holding Corp. said its Kmart stores found a breach of its in-store payment data systems, exposing debit and credit card numbers.
Kmart’s IT team detected the breach on Oct.9 and hired a security firm to conduct a full investigation.
“According to the security experts we have been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” Sears said in a statement.
Kmart has removed the malware, Sears added.
Hoffman Estates, Illinois-based Sears did not give any indication of how many payment cards were compromised by the breach—which started in early September—but it did indicate that its investigation has determined “no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible.”
The retailer also did not say how many stores were affected, or give locations.
“Given the criminal nature of this attack, Kmart is working closely with federal law enforcement authorities, our banking partners as well as security experts in this ongoing investigation,” said Alasdair James, president and chief member officer in a statement.
Kmart is offering free credit monitoring to customers who has shopped at stores from early September until Oct. 9.