Kmart confirmed over the weekend that Kmart stores' payment data system was "purposely" infected with a "new form" of malware that allowed hackers to steal customers' credit and debit card information.
Kmart believes that "only" debit and credit card numbers were breached, and that customer names, addresses and email addresses are safe.
In a message to all Kmart customers, President Alasdair James, claimed that "there was no evidence that any kmart.com customers were impacted." To me, that's a strong indication that it was most likely a point-of-sale breach - that is, inside the actual stores rather than online customers.
The breach started in "early September" and was discovered on October 9th. That means that if you've shopped inside a Kmart store in basically the past month, then your payment card number may have been stolen.
Online customers should be safe, according to the CEO.