This news follows major retail breaches at Target, Neiman Marcus and others. It would be responsible behavior for all major retail companies to check their systems, not just for the possibility of a breach, but for the actuality of a breach. At the time of writing this, there is no public knowledge that Sears actually has been breached.
Indeed, the email statement by Sears to Bloomberg has been repeated verbatim as the official statement: "There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach. We have found no information based on our review of our systems to date indicating a breach."
To date, then, it simply is not known whether Sears is investigating an actual or reported problem, or merely undertaking responsible governance – and it could be some weeks before the full story is revealed. The problem is that modern malware is very good at hiding its presence; and both Verizon and the Secret Service are saying nothing.
"Companies can find themselves in limbo between initial reports of suspected fraud and confirmation of the size and scope of an attack," notes Bloomberg. "A report on the Neiman Marcus intrusion shows that the firm had been warned of possible fraudulent payments stemming from credit cards in mid-December, but it took a private forensics team until January to find the malware and confirm data was taken."
The problem for Sears, and its customers and shareholders, is a period of uncertainty that could result in the company being given the all-clear; the discovery of limited compromises to a single or few stores; or the discovery of a major breach like those at Target and Neiman Marcus. The involvement of the Secret Service in the investigation could suggest that at least something has already been discovered.