Kmart confirmed over the weekend that Kmart stores' payment data system was "purposely" infected with a "new form" of malware that allowed hackers to steal customers' credit and debit card information.
Kmart believes that "only" debit and credit card numbers were breached, and that customer names, addresses and email addresses are safe.
In a message to all Kmart customers, President Alasdair James, claimed that "there was no evidence that any kmart.com customers were impacted." To me, that's a strong indication that it was most likely a point-of-sale breach - that is, inside the actual stores rather than online customers.
The breach started in "early September" and was discovered on October 9th. That means that if you've shopped inside a Kmart store in basically the past month, then your payment card number may have been stolen.
Online customers should be safe, according to the CEO.
How safe are you, really? If you're a Kmart shopper - or if you've been affected by any of the other massive data breaches that I've reported on over the past few months - the short answer is, not very safe.
Once hackers have your credit or debit card information, the sky is the limit until you cancel the card. They can sell your card information on black-market websites, use it themselves or enjoy a profitable mix of both.
Even if no other personal information was stolen, you're still at risk.
Like Home Depot, Dairy Queen and so many other companies that were recently breached, Kmart is offering its customers free identity theft protection for a year. I'll say the same thing I've been saying since Home Depot set the trend: Too little, too late.
Free identity protection is a little bit like a consolation prize. It won't protect you from the criminals who have already made fraudulent charges on your card, but it might make you feel good for a year.