Breach Notification , Card Not Present Fraud , Incident & Breach Response
Sally Beauty Confirms Second Breach
Retailer's Investigation of 'Illegal Intrusion' ContinuesSally Beauty Supply now says that it has "sufficient evidence to confirm that an illegal intrusion into our payment card system has indeed occurred."
See Also: Effective Communication Is Key to Successful Cybersecurity
The news comes 10 days after Sally Beauty announced that it was investigating reports of "unusual" card activity that had been brought to its attention.
In a May 14 statement about the intrusion, the retailer offers few details. "We will not speculate on the scope of the intrusion as our forensics investigation is still under way," says Chris Brickman, Sally Beauty's president and CEO, in the statement. "We are working diligently to address the issue and to care for any customers who may have been affected by the incident."
Now, Sally Beauty recommends that customers who suspect their cards may have been compromised contact their card-issuing banking institutions. "Under the payment card brand rules, they will not be responsible for fraudulent charges to their accounts that are promptly reported, so we encourage our customers to monitor their payment card statements and report any suspicious transactions to their financial institutions," its brief statement notes.
Earlier Incident
In March 2014, Sally Beauty reported that some 25,000 records containing card data had been illegally accessed and possibly removed as a result of an unauthorized intrusion (see Sally Beauty: Card Data Was Compromised).
When card issuers in recent weeks began tracing new suspicious card activity back to Sally Beauty, some experts questioned whether the retailer had failed to fully eradicate malware linked to its first attack, or that the same hackers took advantage of an undiscovered "backdoor" they installed during that first attack (see New Sally Beauty Breach: Old Intrusion?).
Some experts now say, however, that it's unlikely that the 2014 and 2015 breaches are connected, and conclude that it's more likely that this newest breach is the result of a remote-access attack, like the one that compromised POS vendor Harbortouch Payments in March.
One threat researcher with direct knowledge about the Harbortouch breach and the 2014 Sally Beauty breach, who asked not to be named, says it's probable that the same attackers that hit Harbortouch also hit Sally Beauty.
But Harbortouch spokesman Nate Hirshberg tells ISMG that Sally Beauty is not a customer of the company, "nor is there any connection between Harbortouch and Sally Beauty."
And a spokesperson for Sally Beauty declined to comment about a possible breach connection, saying the company would not comment on speculation.