Sears Holdings Corp., the retailer run by hedge fund manager Edward Lampert, is investigating a possible security breach after a series of cyberattacks on other retailers have exposed the data of millions of consumers.
The security review is still at an early stage as Verizon Communications Inc.’s digital forensics unit and the U.S. Secret Service sift through the company’s computer data to look for traces of hackers and the extent of any incursion, according to two people familiar with the matter.
Sears, which is already working to reverse 28 straight quarters of declining sales, is now faced with fighting a possible hacking attack with shoppers on edge after a flurry of retail data breaches tarnished the image of merchants including Neiman Marcus Group and hurt sales at Target Corp. Pinpointing the scope of an attack can take weeks because of the stealth techniques used by hackers.
An investigator who works as a consultant for major card issuers said the importance of a breach at Sears would be determined by whether it’s just in a few stores or in the company’s entire point of sale system. A compromise of the entire system, like those at Target and Neiman Marcus, would be far more serious, said Canh Tran, the chief executive officer of Rippleshot, a Chicago-based fraud detection company.
“Merchants are not in the business of protecting themselves, and you now have second- and third-tier criminals doing this,” Tran said. “We’re really just waking up to it.”
Sears is evaluating whether it’s been attacked.
“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” Howard Riefs, a Sears spokesman, said in an e-mailed note. “We have found no information based on our review of our systems to date indicating a breach.”
Jeffrey Nelson, a spokesman for Verizon Enterprise Solutions, declined to comment about whether the company is probing a possible Sears breach.
Companies can find themselves in limbo between initial reports of suspected fraud and confirmation of the size and scope of an attack. A report on the Neiman Marcus intrusion shows that the firm had been warned of possible fraudulent payments stemming from credit cards in mid-December, but it took a private forensics team until January to find the malware and confirm data was taken.
Sears shares declined more than 2 percent after Bloomberg News reported on the investigation. The stock closed at $44.75, up 4 percent, in New York.
The Secret Service is leading investigations of the attacks on Target and Neiman Marcus that exploited retailers’ point-of-sale, which process more than $3 trillion in U.S. transactions a year, according to David Robertson, publisher of the Nilson Report, an industry newsletter based in Carpinteria, California.
Sears, based in Hoffman Estates, Illinois, is attempting to mount a comeback under CEO Edward Lampert, who took the reins of the company a year ago. He’s investing in e-commerce and rewards programs in a bid to reverse declining sales. He also has sold assets and sought to shrink the company’s store base, saying retailers today need less square footage.
Lampert, who controls about 48 percent of Sears’s shares, was named CEO in January 2013, eight years after he engineered Kmart Corp.’s $12 billion buyout of Sears in 2005. The company renamed itself Sears Holdings after the merger. Though Lampert has struggled to make Sears profitable, he said in a letter to investors this week that his turnaround plan may begin to pay off this year. The company’s net loss last quarter shrank to $358 million, or $3.37 a share, from $489 million, or $4.61, a year earlier. Revenue fell 14 percent to $10.6 billion.
Target, the second-largest U.S. discount chain, has said the theft of customer data may have affected anyone who provided basic information to the retailer over the past several years. In December, the Minneapolis-based retailer said credit- and debit-card data for as many as 40 million people who shopped in its stores between Nov. 27 and Dec. 15 may have been compromised. In January, the company said the thieves also got access to the names, phone numbers and home and e-mail addresses of as many 70 million people.
At Target, hackers gained access to payment-card information for tens of millions of customers at the height of the holiday shopping season last year, forcing the company to do months of damage control.
“At this time we are not able to reasonably estimate a range of possible losses on the payment card networks’ potential claims,” the company said this week.