Sally Beauty: Card Data Was CompromisedRecords Illegally Accessed, Possibly Removed
Cosmetics supplies retailer Sally Beauty Supply now acknowledges that fewer than 25,000 records containing payment card data were illegally accessed and "may have been removed" as a result of an unauthorized intrusion into its network.
On March 5, the company had said that, based on an investigation of the security incident, "we have no reason to believe there has been any loss of credit card or consumer data." But four card issuers told Information Security Media Group they had seen evidence of fraud tied to cards that were used at Sally Beauty, as well as other retailers (see Sally Beauty: No Data Lost in Attack).
The company, which hired Verizon to investigate the security incident, says in a March 17 statement that it cannot speculate on the scope or nature of the breach because the forensics investigation is still ongoing (see 2 More Breaches Linked to Target?).
"As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach incident prior to the completion of a comprehensive forensic investigation," Sally Beauty says.
The statement continues: "We take this criminal activity very seriously. We continue to work diligently with Verizon on this investigation and are taking necessary actions and precautions to mitigate and remediate the issues caused by this security incident." Sally Beauty is also working with the U.S. Secret Service on the investigation.
More information on the security incident will be posted on the Sally Beauty Supply website in the coming days, the company says. Customers will also be notified when more is learned from the investigation, according to the statement.
Sally Beauty Supply operates approximately 5,000 stores worldwide and had $3.6 billion in sales in 2013.