Kmart said Friday that its payment system had been compromised by malware since early September.
The bug affected shoppers in the company's physical stores, and it compromised an unspecified number of credit and debit card numbers. It also said kmart.com and Sears customers were not targeted.
A company spokesman declined to say how many cards were affected, citing an investigation. The statement said the party behind the hack didn't get access to debit card PINs or any other customer information.
The company found the breach Thursday and has since retained an unnamed cybersecurity firm to help tackle the problem. It also said it got in touch with federal authorities and its banking partners.
Kmart said affected customers who reported any fraudulent purchases would not be liable if they reported the activity in a timely manner, though it did not give a specific time frame. It will also pay for credit monitoring services