Sears: Online customer payment info, store systems ‘were not compromised’

Press enter to search
Close search
Open Menu

Sears: Online customer payment info, store systems ‘were not compromised’

By Deena M. Amato-McCoy - 04/30/2018
Sears seems to have dodged a bullet.

The department store retailer’s online support services provider, [24]7.ai, warned Sears in March that it was the victim of a cyber-attack on its network — an issue that may have enabled hackers to gain unauthorized access to credit card information among less than 100,000 customers who placed orders on its Sears or Kmart websites between September 27 and October 12, 2017. New details from Sears’ investigation revealed that its systems were not impacted, after all.

Upon learning about the breach, Sears immediately notified the credit card companies to prevent potential fraud. It also launched a thorough investigation with federal law enforcement authorities, banking partners, and IT security firms.

Based on Sears’ investigation, the retailer concluded that customers using Sears-branded credit cards or storing payment card information on the Sears and Kmart websites were not impacted. There was also no evidence that any stores or any internal Sears systems were accessed by hackers, according to Sears.

[24]7.ai has assured the department store retailer that it removed the malicious script from its code, and its systems are now secure, Sears reported.

While there was no evidence of tampering, Sears continues to take steps “to comply with various state regulations and requirements and ensure its customers are aware of the incident,” according to the company.

The company encourages customers to take steps to safeguard their information and understand their rights under their state's laws. In addition, Sears encourages customers “to monitor their card statements and review their free credit reports, and otherwise remain vigilant for suspected incidents of fraud or identity theft,” the company said.

Sears encourages customers that suspect incidents of identity theft to report them to local law enforcement, the state attorney general, and/or the Federal Trade Commission (FTC). Individuals can also obtain information about the steps they can take to avoid identity theft from the FTC.

Customers who still believe their information might have been affected by this incident may be able to place a fraud alert or security freeze on their credit reports through consumer reporting agencies.

Sears was not the only company potentially impacted by (24)7.ai.’s breach. Best Buy, which uses (24)7.ai’s chat services, also issued a warning that some of its customers’ payment information may have been compromised in the same data cyberattack that hit the technology vendor between September 27 and October 12, 2017.

Related Topics