Sears Holdings said a review of its systems does not show evidence yet of a data breach as retailers continue to stay on guard in the light of payment card terminal hacking at Target and Neiman Marcus.
The department store chain, with 2,500 stores in the U.S. and Canada, is the latest company to say it is investigating a possible breach, following the hotel management company White Lodging Services and the arts and crafts chain Michaels.
[ Also on InfoWorld: Big fines for big breaches: The only way to stop shoddy security. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach," wrote Howard Riefs, director of corporate communications at Sears Holdings, in an email.
Target and Neiman Marcus said payment card terminals, known as point-of-sale devices, were infected with malicious software that collected payment card details located on the magnetic stripe on the back of cards.
Target said up to 40 million credit and debit cards were stolen. Neiman Marcus initially said 1.1 million cards may have been affected, but downgraded the estimate to around 350,000 cards on Feb. 21.
Hackers capitalized on a weakness in point-of-sale systems where unencrypted card details are briefly held in a computer's memory. In Target's breach, the malware eventually transmitted the card details to servers outside of the company. Some of the data became available in underground cybercrime forums.
The incidents marked a startling progression by hackers, illustrating continuing weaknesses in a years-long effort to shore up security around payment cards with an industry guideline known as the Payment Card Industry's Data Security Standard (PCI DSS).
Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk