Retailers' PoS systems ransacked by malware

Kmart stores across the United States have been infected by a malware-based attack, resulting in the theft of customer payment card data.

The US Secret Service has confirmed it has started investigating the September breach.

The breach compromised the systems of Kmart, which has about 1,200 stores across the United States, according to the retail chain's parent company, Sears Holdings. The breach did not affect the Sears department store chain.

A Sears spokesman could not say how many credit and debit card numbers had been exposed. He added that the personal information, debit card PIN codes, email addresses and Social Security numbers of Kmart customers remained safe.

According to the retailer, attackers used malicious software that was undetectable using anti-virus software, highlighting the challenge of keeping up with the evolving techniques of computer hackers. 

Company spokesman Chris Brathwaite said Sears had been upgrading its systems before the recent spate of incidents affecting retailers, which included a massive breach of the systems of Target Corp in late 2013.

"Our IT team was able to quickly remove the malware and we are deploying further advanced software to protect our customers' information," Brathwaite said.

Kmart apologised to its customers on Friday US time and said it was working with federal authorities, banking partners and security firms in the probe.

The company did not say which type of malware had affected its payments system.

As news of the Kmart data breach broke, the Dairy Queen network of ice-cream and fastfood restaurants confirmed that it too had suffered a large-scale security breach across North America due to a malware-based attack.

Point of sale computers at Dairy Queen locations, and one Orange Julius stores, were infected by the Backoff malware, the company said.

The malware infected computers at 395 of Dairy Queen's more than 4,500 US locations, exposing the names, numbers and expiration dates of customer payment cards, the statement said.

There is no indication that other personal information, including card PINs, social security numbers or email addresses were stolen, Dairy Queen said.

Dairy Queen will attempt to make amends by offering free identity repair services for one year to customers in the US who made purchases in any of the affected food outlets. It did not say how many customers were affected by the data breach.

Backoff has hit several retailers in the United States this year, including Target, PF Chang and Goodwill.