The U.S. retail chain's payment systems were infected with a form of malware that went undetected by its anti-virus systems, Sears said. There is no evidence that Kmart shoppers' personal information, PIN numbers, email addresses or Social Security numbers were stolen, and the malware has since been removed, Sears said.
A forensic investigation indicates that the breach began in early September, Sears said. Kmart's IT team discovered the breach only this Thursday.
Sears did not have enough information to say roughly how many credit and debit card numbers were compromised, a spokesman said in an interview.
"We sincerely apologize for any inconvenience this may cause our members and customers," Sears said in a press release. The company is recommending that customers who have shopped with a credit or debit card at any Kmart store between September and Thursday of this week check their account statements.
More information about the breach will be posted at kmart.com. Customers can also call Kmart's customer care center line at 888-488-5978. Kmart will be offering free credit monitoring protection.
There is no evidence that the breach has affected customers who have shopped online at kmart.com, the company said.
Kmart is working with a federal law enforcement authorities, its banking partners and IT security firms in an ongoing investigation, Sears said.
Kmart is one of many major retailers to have been breached this year. Home Depot said last month its payment systems had been breached, putting at least 56 million cards at risk.