For about a month, Kmart says, its stores' checkout registers were "compromised by malicious software that stole customer credit and debit card information."
The company, owned by Sears, says it removed the malware from its system after it was discovered Thursday. It announced the exposure late Friday, saying that no personal data or PIN numbers were lost.
While some important customer information seems to have been protected, the breach could still allow criminals to make counterfeit versions of the exposed credit cards.
The company announced the problem on its website, along with recommendations that "If customers see any sign of suspicious activity, they should immediately contact their card issuer." The company also says customers can get more information at its website and over the phone at 888-488-5978.
The number of customers in question hasn't been announced; the vulnerability did not affect online shoppers, the company says.
Saying the breach likely began in early September, Sears announced that to protect anyone "who shopped with a credit or debit card in our Kmart stores during the month of September through yesterday (Oct. 9, 2014), Kmart will be offering free credit monitoring protection."
The data breach affected only "track 2" data, reports security expert Brian Krebs, citing a Sears spokesman who says the information "did not include customer names, email address, physical address, Social Security numbers, PINs or any other sensitive information."
With Friday's announcement, the retailer joins Target, Neiman Marcus and Home Depot on the list of large companies whose customers' data was accessed illegally in the past year.