Update on Data Security Incident

We are updating this notice to provide potentially affected individuals with additional information about the recent data security incident suffered by a vendor for Sears.com and Kmart.com, and about the measures you can take to protect yourself against fraud and identity theft.  Please read this entire notice.

As explained in our initial posting (below), Sears is investigating an incident in which an unauthorized individual incorporated a malicious script into code used by a vendor to provide services on Sears.com and Kmart.com.  On March 26, 2018, Sears discovered that the malicious script could have collected the names, addresses, and payment card information of customers who placed or attempted to place orders on the Sears.com or Kmart.com websites between September 27, 2017 and October 12, 2017, and entered their payment card information manually on the checkout screen.  Sears has already provided email notices to customers who completed an order affected by the incident, and will also be mailing notification letters to such customers during the week of April 23, 2018.

Customers who attempted to place this type of order, but the payment card was declined, may also have been affected.  Sears does not have sufficient information to identify the customers with declined orders, and therefore provides this update to help inform all potentially affected customers about the incident.  Additional information for residents of certain states appears below, in keeping with these states’ legal requirements.

We encourage all our customers who believe they may be affected by this incident to monitor their card statements and review their free credit report, and otherwise remain vigilant for suspected incidents of fraud or identity theft.  Suspected incidents of identity theft should be reported to your local law enforcement, your state’s attorney general, and/or the Federal Trade Commission.  You can also obtain information about preventing identity theft from the Federal Trade Commission.

Additionally, if you believe your information may have been affected by this incident, you may be able to place a fraud alert or security freeze on your credit report to protect against identity theft.  You can use the contact information provided below to request that consumer reporting agencies place a fraud alert or security freeze on your consumer report.  You can obtain more information about fraud alerts and security freezes from the Federal Trade Commission or from the consumer reporting agencies identified below.

For Massachusetts & Rhode Island Residents:  You have the right to obtain a copy of any police report filed in regard to this incident.  As noted above, you can also request a security freeze if you believe that your information may have been involved in this incident.  To place a security freeze on your credit report, contact the consumer reporting agencies with the following information:
(1) full name, with middle initial and any suffixes;
(2) Social Security number;
(3) date of birth;
(4) current address and any previous addresses for the past two years; and
(5) any applicable incident report or complaint with a law enforcement agency or the Registry of Motor Vehicles.

Your request must also include a copy of a government-issued identification card and a copy of a recent utility bill or bank or insurance statement.  Each copy should be legible, display your name and current mailing address, and the date of issue.  Each consumer reporting agency may charge a fee of up to $5.00 for Massachusetts residents and up to $10.00 for Rhode Island residents to place, temporarily lift, or remove a freeze, unless you are a victim of identity theft or the spouse of a victim of identity theft and you have submitted a valid police report relating to the identity theft incident to the consumer reporting agency.

For Maryland Residents: For more information on how to avoid identity theft, you can contact the Maryland Attorney General’s Office:
Address: 200 St. Paul Place, Baltimore, MD 21202
Telephone: 410-576-6491
Website: www.oag.state.md.us/idtheft/index.htm.

For North Carolina Residents: For more information on how to avoid identity theft, you can contact the North Carolina Attorney General’s Office:

Address: 9001 Mail Service Center, Raleigh, NC 27699-9001
Telephone: 919-716-6400
Fax: 919-716-6750
Website: http://www.ncdoj.gov

For Wyoming Residents: Sears was not asked by law enforcement to delay notifying our customers about this incident due to a law enforcement investigation.  Sears has notified law enforcement about this incident.

Statement on Data Security Incident

[24]7.ai, a company that provides online support services to Sears and Kmart, notified us, as well as a number of other companies, that they experienced a security incident last fall.  We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information.  As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.

As a result of that investigation, we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised. Customers using a Sears-branded credit card were not impacted. In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24]7.ai has assured us that their systems are now secure.

Data security is of critical importance to our company, and we take any matter related to customer's personal information very seriously. Our top priority at this point is to quickly identify the impacted customers, notify and assist them in every way possible.  It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner.  As more information becomes available, we will post updates to our corporate website http://searsholdings.com/update, and we will be establishing a hotline for customers by 10 a.m. Friday, April 6.

Statement issued earlier Wednesday by [24]7.ai on Information Security Incident

Frequently Asked Questions

Who was affected by this incident?
We believe that this incident involved unauthorized access to less than 100,000 of our customers’ payment card information. Certain customers who completed an online order between September 27, 2017 and October 12, 2017 may have been compromised.

Were Sears and Kmart Stores impacted?
No. We understand this was limited just to Sears.com and Kmart.com, and only in that narrow window between September 27, 2017 and October 12, 2017.   In addition, customers who used a Sears-branded credit card were not affected. Customers who used cards that they had saved to their Sears.com or Kmart.com profile were also not affected.

There was no impact to Sears or Kmart stores, or any other Sears websites, such as those that support Shop Your Way, Parts Direct, or Sears Puerto Rico. 

Are Sears.com and Kmart.com safe to use now?
[24]7.ai has assured us that their systems are now secure. We are confident that our customers can safely use their credit and debit cards on our websites.

Have any law enforcement agencies reached out to you about a data breach?
Given the criminal nature of this attack, Sears and Kmart are working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation. We cannot comment on any specific activities by those parties; please direct any questions to them.

Have you hired an outside forensics firm to investigate? What status of that investigation?
As soon as we became aware of this incident from our vendor, we immediately launched a thorough investigation. The investigation to date indicates that those criminally responsible for the event compromised the vendor’s system and installed a form of malicious code that improperly obtained information from certain clients of [247].ai, including Sears and Kmart.

Were any other kinds of customer data compromised (like the info in your customer loyalty card database)?
We believe that this incident was strictly limited to unauthorized access to selected payment card information.

Will you notify the members if their data has been compromised?
Yes. Our top priority at this point is to quickly identify the impacted customers, notify and assist them in every way possible. We are sending email notifications to affected customers on April 6th. This will be followed by notification by USPS in the coming weeks   

Do I as a customer, have any exposure?
It is important to note that the policies of most credit card companies state that customers have no liability for any unauthorized charges if they report them in a timely manner. We recommend that all customers carefully check their card statements for any suspicious activity.

What are you doing to make sure that it doesn’t happen again?
Data security is of critical importance to our company. There is no evidence that our store payment data systems were compromised, or that any internal Sears systems were accessed by those criminally responsible in this event. We maintain appropriate and reasonable physical, electronic, and procedural security safeguards to protect our data, and we continuously review and improve those safeguards in response to changing technology and new threats. We are actively reviewing our vendor security policies, but it is our policy not to discuss the specific details of our security measures.

How can I get more information?
You may continue to visit us here, at searsholdings.com/update.