Sears Holding Corp. confirmed Friday that it has launched an investigation to determine whether the company suffered...
a data breach.
"There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach," Sears spokesman Howard Riefs said in a written statement. "We have found no information based on our review of our systems to date indicating a breach."
The company's response came after a report from Bloomberg News cited two sources familiar with the investigation, indicating that both the U.S. Secret Service and a unit from Verizon Communications Inc. were involved in the ongoing forensics efforts. Both the Secret Service and Verizon have declined comment.
Prior to the Bloomberg report last week, Bryan Sartin, director of the Verizon Enterprise Solutions RISK team, told the Wall Street Journal that the company was currently involved in undisclosed breach investigations at two different retailers, but did not provide further details.
For Sears, investigation may not mean breach
Prior to the Bloomberg report, Sartin and veteran security journalist Brian Krebs discussed the fraud-detection process known as common point of purchase analysis, which involves spotting connections between payment cards used for fraudulent activity and the retail outfits where those cards were used.
It's normally a reliable method for discovering data breaches in payment environments, but not always. It doesn't necessarily hold true after massive data breaches such as the recent Target Corp. data breach, according to Sartin, because small financial firms can't necessarily see how payment card activity can overlap in such instances with small retailers, resulting in numerous false positives.
The breach rumors surrounding the Hoffman Estates, Ill.-based retailer come on the heels of a number of confirmed security incidents at retailers across the United States, most notably including Target and Neiman Marcus. Firm connections have yet to be established among that string of retailer data breaches, though RAM-scraping point-of-sale (POS) malware has been linked to all known cases. Such malware relies on unencrypted card data that is sometimes stored in a payment system's memory temporarily.
In January, the Federal Bureau of Investigation reportedly provided select retailers with a confidential document warning them to expect more point-of-sale malware attacks in the near future.
"We believe POS malware crime will continue to grow over the near term, despite law enforcement's and security firms' actions to mitigate it," said the FBI in the report, seen by Reuters. "The accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially motivated cybercrime attractive to a wide range of actors."