Sally Beauty: Card Data Was Compromised

Records Illegally Accessed, Possibly Removed
Sally Beauty: Card Data Was Compromised

Cosmetics supplies retailer Sally Beauty Supply now acknowledges that fewer than 25,000 records containing payment card data were illegally accessed and "may have been removed" as a result of an unauthorized intrusion into its network.

See Also: How to Empower IT with Immutable Data Vaults

On March 5, the company had said that, based on an investigation of the security incident, "we have no reason to believe there has been any loss of credit card or consumer data." But four card issuers told Information Security Media Group they had seen evidence of fraud tied to cards that were used at Sally Beauty, as well as other retailers (see Sally Beauty: No Data Lost in Attack).

The company, which hired Verizon to investigate the security incident, says in a March 17 statement that it cannot speculate on the scope or nature of the breach because the forensics investigation is still ongoing (see 2 More Breaches Linked to Target?).

"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach incident prior to the completion of a comprehensive forensic investigation," Sally Beauty says.

The statement continues: "We take this criminal activity very seriously. We continue to work diligently with Verizon on this investigation and are taking necessary actions and precautions to mitigate and remediate the issues caused by this security incident." Sally Beauty is also working with the U.S. Secret Service on the investigation.

More information on the security incident will be posted on the Sally Beauty Supply website in the coming days, the company says. Customers will also be notified when more is learned from the investigation, according to the statement.

Sally Beauty Supply operates approximately 5,000 stores worldwide and had $3.6 billion in sales in 2013.

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.