A Tale Of Two Breaches (Kmart vs. Dairy Queen)

On October 10, Kmart, owned by Sears, Roebuck, announced that it, like many other retailers, had been hacked.

Credit and debit card security breaches are, sadly, more and more common these days as hackers continue to worm their way into retailer networks. What’s different about Kmart’s announcement is how it stands in stark contrast to fellow retailer Dairy Queen’s announcement on October 9, just the day before.

Dairy Queen was outted as having been targeted by hackers back in late August by security expert Brian Krebs. Krebs reported that the financial industry had once again followed the breadcrumb trail back to a single common source – in this case, a pattern of fraud linked by account holders having shopped at Dairy Queen locations. Rumors had already begun in early August, but it wasn’t until Krebs received confirmation from multiple financial institutions did he go live with the news.

At the time, Dairy Queen reported that they had no indication of a hack. Two days after Kreb’s published his article, Dairy Queen confirmed that they had been contacted by the U.S. Secret Service and were starting their own investigation. It wasn’t until October 9 that Dairy Queen admitted to the breach and offered details.

While there’s no word yet on the number of cards compromised, the breach occurred from between August 1 through to September 10. Once again, it was a malware-infected POS-systems. Hackers were able to install the Backoff malware onto about 10% of retail stores by using a third party vendor’s account credentials and with it skimmed customer names, payment card numbers and expiration dates.

There’s no evidence of other personal information, like Social Security Numbers or email address, being compromised but the stolen information was enough to create counterfeit copies of the cards that were then used for smaller purchases at dollar stores and grocery stores. Typically these types of transactions are hackers testing the cards before bigger purchases are attempted.

Dairy Queen’s breach announcement came one month after the last of the machines were cleared of the malware.

On October 10, Kmart announced that they, too, had been breached, but the circumstances are quite different – not that they were breached, but how they handled the breach.

Like Dairy Queen, Kmart reported that the breach lasted for about a month and used malware-compromised POS machines to skim customer credit and debit card information from between September 1 through to October 9. We don’t yet have any numbers on how many cards were stolen or how many stores POS machines where compromised, but there will surely be details to come as the investigation continues.

What’s radically different about Kmart’s breach is that they were the ones to detect the breach, not an outside security or financial institution. The breach was discovered on October 9 and their IT team pulled in a leading IT security firm to begin its investigation. The Security and Exchange Commission was notified the same day and the malware was removed. The public announcement of the breach happened the following day, before any of the stolen credentials had been put up for sale.

No one wants to see their company get hacked, but when it happens, you want to know that the company has been paying attention and that they’ve taken steps to immediately deal with the hack and notify customers of the problem. Dairy Queen is at a disadvantage here, being a series of franchisees without a centralized security system, but not taking steps to clearly and quickly communicate to customers that a breach has happened does not build trust in the brand.

By taking the lead on the breach’s discovery and announcement, Kmart has positioned themselves as a more responsible steward of their customer’s private information.