The rumors could have emerged due to false positives produced by CPP analysis

Mar 1, 2014 11:04 GMT  ·  By

Rumors have emerged that the US retailer Sears has suffered a data breach. However, the company says there’s no evidence that its systems have been penetrated by cybercriminals.

“There have been rumors and reports throughout the retail industry of security incidents at various retailers, and we are actively reviewing our systems to determine if we have been a victim of a breach,” the company’s representatives have told Brian Krebs.

”We have found no information based on our review of our systems to date indicating a breach,” they added.

Bryan Sartin, the director of the Research, Investigations, Solutions, Knowledge (RISK) Team at Verizon Enterprise Solutions, told The Wall Street Journal that they’ve been alerted to data breaches suffered by two major retailers. Sears could be one of them.

However, it’s also possible that Sears hasn’t actually suffered a breach. Based on what Sartin has told Brian Krebs, there’s an explanation.

Many financial institutions rely on common point of purchase (CPP) analysis to determine if a certain organization has been successfully targeted by cybercriminals.

The process involves analyzing payment cards whose owners have reported fraudulent activities. If a large number of cards abused by fraudsters have been used at the same merchant during a certain timeframe, it’s possible that the company in question has been hacked.

Sartin says the system is highly efficient, but it can also produce false positives, particularly in a period like this one, in which 40 million cards were compromised in the breach suffered by Target.

The main problem is with smaller banks which might mistakenly determine that an organization’s network has been compromised because the fraud reports overlap with purchasing patterns at Target.

“CPP is linear enough that it just says look, there’s a problem in these shoppers’ accounts. So you have many banks looking at these patterns, and reporting that upstream, and the more noise these banks make about it, the more likely there will be an investigation that could be erroneous,” Sartin has told Krebs.

“That’s why there is often a period of probably 60 to 90 days after a major data breach that until such time as the investigating entity gets there and [identifies] the at-risk batch of accounts — there’s really no ability for them to identify what’s a false flag and what’s not.”

We’ll have to wait for Sears to conclude its investigation to find out if the retailer has exposed its customers’ information.