Kmart calls police to investigate IT security breach


news National retailer Kmart has called in the Australian Federal Police and the Office of the Australian Information Commissioner to investigate an IT security breach which it has confirmed saw customers’ data accessed by unknown parties.

In a statement yesterday, the Wesfarmers-owned company — which operates some 203 stores around Australia as well as a 246-location strong network of Kmart Tyre and Auto outlets — sad its online order system had been breached yesterday.

“The breach included customers’ identity (name), email address, delivery and billing address, telephone number and product purchase details,” the company said. “No online customer credit card or other payment details have been compromised or accessed.”

“Yesterday, an email was sent directly to those customers whose details were accessed to inform them of this situation and Kmart Australia has posted details of the breach on its social media pages. This breach only impacts a selection of customers who have shopped online with Kmart Australia. If customers have not received a message from Kmart Australia regarding this situation they have not been impacted.”

The company said as soon as Kmart was made aware of the breach, immediate action was taken to stop any further information being accessed. “The safety and security of customer’s private information is a priority for Kmart Australia,” the company said.

Kmart has engaged “leading” IT forensic investigators and has contacted the Office of the Australian Information Commissioner and Australian Federal Police to thoroughly review the matter. It apologised to customers for the breach and advised any concerned customers to contact the company directly on 1800 124 125.

I suspect that this kind of breach is more or less a dime a dozen at the moment — and that we’re not hearing about a lot of the activity. In this sense, security is a bit like an iceberg — there are doubtless many more corporate breaches of this nature swimming below the surface unreported. It will be fascinating to see how many finally come up for air if compulsory data breach legislation ever passed the Federal Parliament.


  1. Perhaps a Freudian slip…
    “sad its online order system had been breached yesterday.”
    I applaud KMart for admitting this and giving details quickly. Although confidence in online systems will be impacted, more corporates should at least report these incidents.
    Now we need to know what steps were taken to prevent this from occurring and why it failed. How much budget is spent on physical security versus online?

    • “…is spent on physical security versus online?”

      Wrong question. Better: “How many management have been locked out of the server?” One may also wonder how often the locks (passcodes etc) are changed. And who changes them?

      And what procedures does KMart have to mitigate the disaster? Like, for instance, using an offline box to issue new passcodes to all customers and applying that change to an offline backup which will only be put online after the server has been secured. Possibly also new usernames. Not very much, but provides breathing space.


Comments are closed.