Who was affected by this incident?
We believe that this incident involved unauthorized access to less than 100,000 of our customers’ payment card information. Certain customers who completed an online order between September 27, 2017 and October 12, 2017 may have been compromised.
Were Sears and Kmart Stores impacted?
No. We understand this was limited just to Sears.com and Kmart.com, and only in that narrow window between September 27, 2017 and October 12, 2017. In addition, customers who used a Sears-branded credit card were not affected. Customers who used cards that they had saved to their Sears.com or Kmart.com profile were also not affected.
There was no impact to Sears or Kmart stores, or any other Sears websites, such as those that support Shop Your Way, Parts Direct, or Sears Puerto Rico.
Are Sears.com and Kmart.com safe to use now?
7.ai has assured us that their systems are now secure. We are confident that our customers can safely use their credit and debit cards on our websites.
Have any law enforcement agencies reached out to you about a data breach?
Given the criminal nature of this attack, Sears and Kmart are working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation. We cannot comment on any specific activities by those parties; please direct any questions to them.
Have you hired an outside forensics firm to investigate? What status of that investigation?
As soon as we became aware of this incident from our vendor, we immediately launched a thorough investigation. The investigation to date indicates that those criminally responsible for the event compromised the vendor’s system and installed a form of malicious code that improperly obtained information from certain clients of .ai, including Sears and Kmart.
Were any other kinds of customer data compromised (like the info in your customer loyalty card database)?
We believe that this incident was strictly limited to unauthorized access to selected payment card information.
Will you notify the members if their data has been compromised?
Yes. Our top priority at this point is to quickly identify the impacted customers, notify and assist them in every way possible. We are sending email notifications to affected customers on April 6th. This will be followed by notification by USPS in the coming weeks
Do I as a customer, have any exposure?
It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner. We recommend that all customers carefully check their card statements for any suspicious activity.
What are you doing to make sure that it doesn’t happen again?
Data security is of critical importance to our company. There is no evidence that our store payment data systems were compromised, or that any internal Sears systems were accessed by those criminally responsible in this event. We maintain appropriate and reasonable physical, electronic, and procedural security safeguards to protect our data, and we continuously review and improve those safeguards in response to changing technology and new threats. We are actively reviewing our vendor security policies, but it is our policy not to discuss the specific details of our security measures.
How can I get more information?
You may continue to visit us here, at searsholdings.com/update.