Kmart Australia issued a statement this week which said the details of customers who used its online ordering system had potentially been exposed. The breach included customers' names, email addresses, delivery and billing, telephone numbers and product purchase details.
“No online customer credit card or other payment details have been compromised or accessed,” the retailer's statement said.
“This breach only impacts a selection of customers who have shopped online with Kmart Australia. If customers have not received a message from Kmart Australia regarding this situation they have not been impacted.”
The retailer has contacted Australian Federal Police about the security breach.
Commenting on the data breach, ESET malware researcher Sieng Chye Oh said that as email addresses and contact numbers have been leaked, affected Kmart Australia customers should be wary of any emails or phone calls they receive.
“Cybercriminals may use the disclosed information trick customers into revealing further information to gain access to valuable profiles and accounts. This is commonly known in the industry as social engineering,” he said.
“Kmart have not made it clear if any passwords were stolen in the breach. If passwords were stolen, cybercriminals will likely use the credentials to target other sites such as social networks, email accounts, and others. To stay safe, any customers that shop online with Kmart should change their password for this site and all others, especially those who use a single password for multiple online accounts.”
The Kmart breach is the latest in a series of high profile incidents in which retailers have been targetted.
In November US retailer Home Depot revealed that a recent data breach had compromised 56 million payment cards, saying hackers used login credentials belonging to another company to access its network. It also revealed that 53 million email addresses were also stolen.
The stolen login credentials didn't provide direct access to its point-of-sale terminals, Home Depot said. But once inside, the hackers gained "elevated rights" that allowed them to navigate to other parts of its network and install their malware on self-checkout systems in the US and Canada.
In 2013, US retailer Target revealed that attackers stole customer data between November 27 and December 15 2013 via malicious software installed on point of sale devices.
The malware collected unencrypted payment card details after a card was swiped and briefly held in a computer's memory, capitalising on an unknown weakness despite years of efforts to harden payment systems.
A new analysis by Verizon claims that Target US failed to implement basic security best practices both before and immediately after the breach that contributed to the theft of information from 40 million credit and debit cards.
For example, the retailer failed to segment networks, there was poor password policy enforcement and lax patch management.