Sally Beauty Breach: Link to Target?Experts Say Recent Intrusions Could be Connected
Now that Sally Beauty Holdings Inc. has acknowledged payment card data was exposed during a recent cyber-attack, security experts are debating whether the incident is connected to the Target Corp. and Neiman Marcus malware-related breaches.
On March 17, the cosmetics supplies retailer and distributor noted in a statement that details on fewer than 25,000 credit and debit accounts were illegally accessed and "may have been removed." Track 2 data on cards was exposed, the company says. That includes the cardholder's name, account number and encrypted PIN, as well as card value verification three-digit security codes.
"We do not believe that sensitive information, (other than card numbers) such as Social Security numbers or dates of birth, was compromised as part of this issue," the retailer states in an updated FAQ posted to its site March 17. "In addition, Sally Beauty does not collect PIN data and, therefore, it should not be at risk."
Sally Beauty's Investigation
Sally Beauty on March 5 said its systems detected a possible network intrusion. An investigation was then launched. Then, after news of a possible breach broke, the company responded by saying it had no reason to believe that any payment data or consumer information had been exposed, based on its investigation into the security incident.
But four card issuers told Information Security Media Group on March 6 that they had seen evidence of fraud tied to cards that were used at Sally Beauty, as well as other retailers (see Sally Beauty: No Data Lost in Attack).
Now, Sally Beauty, which hired Verizon to investigate its attack, says in its March 17 statement that it cannot speculate about the scope or nature of the breach because its investigation is ongoing (see Sally Beauty: Card Data Was Compromised).
"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach incident prior to the completion of a comprehensive forensic investigation," the company says.
Sally Beauty declined to provide more details about the attack investigation and whether it had evidence to suggest its breach was linked to those at other retailers, such as Target.
But financial fraud expert Al Pascual, an analyst with the consultancy Javelin Strategy & Research, says it's highly probable that the Sally Beauty incident is linked to other major retailer breaches. "Odds are, these breaches are connected," he says.
One card issuer and a researcher, both of whom spoke on background to Information Security Media, say many of the compromised card numbers first believed to be tied to Sally Beauty were likely compromised in other breaches or multiple breaches. That's why pinpointing a single point of compromise is increasingly challenging for card issuers, they note.
Both believe the Sally Beauty attack is connected to other breaches. Additionally, the researcher says the company's estimate of accounts affected sounds more realistic than the earlier figure of 282,000 compromised accounts that had been circulating in the media.
But Dan Clements, CEO of cyber-intelligence firm IntelCrawler, offers a different perspective on the potential connection to other breaches. He says malware, such as BlackPOS, commonly used in recent retail attacks, is readily available for purchase by criminals, making it difficult to determine whether the Sally Beauty attack is, indeed, linked to other recent breaches. Because any criminal group could purchase malware to wage an attack, it's difficult to attribute breaches to one particular group, he says.
Pascual says the latest announcement from Sally Beauty illustrates that retailers are being increasingly conservative about the details and numbers they release once a breach of their network is discovered.
"My issue is with the relatively small number of cards that Sally Beauty has reported compromised," Pascual says. "It is better for the company, and certainly affected consumers, if they are overly cautious and put out the bigger number first. They can then revise downward without looking as though they were trying to hide something or as though they were simply incompetent."
Plus, retailers need to a better job of notifying consumers promptly, he argues.
"Rather than wait for every issuer to scan transaction histories for customers who shopped at Sally Beauty over an indeterminate period of time, to monitor all of those accounts, and to possibly decline legitimate transactions out of an overabundance of caution, Sally Beauty could lay everything on the table and save everyone a lot of trouble," Pascual says. "I hope they are right about the 25,000, because if not, then this is just another example of a merchant having left issuers holding the bag."
John Buzzard, who oversees FICO's Card Alert Service, says retailers are waiting to release statements and figures until they have more details about network intrusions based on forensics investigations. More retailers are allowing more time for law enforcement to evaluate and investigate possible breaches before they share too much information to the public, he says.
"They simply don't know how big this breach is going to be," Buzzard says. "But there should be a fair amount of exposure here for commercial payment cards, considering that Sally Beauty serves a large pool of business owners as well as more traditional consumers."
Sally Beauty is an international specialty retailer and distributor of professional beauty supplies with annual revenue of $3.6 billion. Through the Sally Beauty Supply and Beauty Systems Group businesses, the company sells and distributes through 4,700 stores, including approximately 200 franchised units, throughout the U.S., the United Kingdom, Belgium, Chile, France, the Netherlands, Canada, Puerto Rico, Mexico, Ireland, Spain and Germany. Beauty Systems Group stores, branded as CosmoProf or Armstrong McCall stores, along with outside sales consultants, sell products for professional and salon use and resale.