On October 10, 2014, Sears Holdings announced that Kmart stores had been the victim of a data breach involving malware installed on point-of-sale systems. The company stated that the breach had been active for approximately one month beginning in early September 2014 before being discovered by its IT security team. Debit and credit card numbers were stolen; however, Sears Holdings stated that no personal information (names, addresses, Social Security numbers), no PIN data, and no EMV chip card data was believed to have been compromised. The company did not disclose the number of affected cards, stating only that Kmart had ‘about 1,200 stores.’ Security researchers at the time noted the stolen card data subsequently appeared on underground card-selling forums. Sears Holdings’ IT team detected the breach on October 9, 2014 and moved quickly to contain it by removing the malware from POS systems, bringing in an external forensic firm. The Kmart breach occurred during a wave of large US retail POS malware attacks in 2013-2014 that also struck Target, Home Depot, and other major retailers, all taking advantage of the US’s continued reliance on magnetic stripe cards rather than EMV chip cards. The US EMV liability shift for POS terminals took effect in October 2015.