Skip to main content

Data Breach at Gunpoint

Written by Amy Malone

You might think that if you lock your backup tapes in a safe they are protected from a data breach, but Kmart’s recent data breach proves that’s not the case.  Last month, a person held a Kmart employee in Little Rock, Arkansas at gun point and ordered him to open the store’s safe.  The perpetrator ran off with the safe’s contents, including almost $6,000 and the day’s backup disk.

The next problem for Kmart (or maybe the first problem)?  The backup disk was not encrypted or password-protected.  The Chicago Tribune reports that information on the disk included confidential information relating to prescriptions including, names, addresses and medications prescribed for almost 800 customers.  According to another news source, parent company Sears says that “certain prescriptions also contained the customer’s social security number.”

Kmart spokesperson Shannelle Armstrong-Fowler said there was a “slim to none” chance of the thief accessing information on the disk because he would need to know what software package Kmart uses and have that software, but, FierceRetail asserts that it would not be that difficult to extract information from the disk by using a hex dump utility.   According to StorefrontBacktalk, the initial police report did not reference the missing data disk, and Little Rock Police said no updated report had been filed. Such an updated report would have been filed had Sears contacted police to update the list of what had been stolen.  Read more details here.

This breach underscores the importance of implementing layers of security.  Using strong encryption and passwords in addition to locking the media in a safe would have provided greater security to customer information and saved Kmart some angst.  Are you utilizing the right security to protect your sensitive information?  Unsure?  Contact one of our privacy attorneys for help.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.