Breach Notification , Card Not Present Fraud , Incident & Breach Response

Sally Beauty Confirms Second Breach

Retailer's Investigation of 'Illegal Intrusion' Continues
Sally Beauty Confirms Second Breach

Sally Beauty Supply now says that it has "sufficient evidence to confirm that an illegal intrusion into our payment card system has indeed occurred."

See Also: Secureworks Named a Major Player in the 2024 IDC MDR Marketscape

The news comes 10 days after Sally Beauty announced that it was investigating reports of "unusual" card activity that had been brought to its attention.

In a May 14 statement about the intrusion, the retailer offers few details. "We will not speculate on the scope of the intrusion as our forensics investigation is still under way," says Chris Brickman, Sally Beauty's president and CEO, in the statement. "We are working diligently to address the issue and to care for any customers who may have been affected by the incident."

Now, Sally Beauty recommends that customers who suspect their cards may have been compromised contact their card-issuing banking institutions. "Under the payment card brand rules, they will not be responsible for fraudulent charges to their accounts that are promptly reported, so we encourage our customers to monitor their payment card statements and report any suspicious transactions to their financial institutions," its brief statement notes.

Earlier Incident

In March 2014, Sally Beauty reported that some 25,000 records containing card data had been illegally accessed and possibly removed as a result of an unauthorized intrusion (see Sally Beauty: Card Data Was Compromised).

When card issuers in recent weeks began tracing new suspicious card activity back to Sally Beauty, some experts questioned whether the retailer had failed to fully eradicate malware linked to its first attack, or that the same hackers took advantage of an undiscovered "backdoor" they installed during that first attack (see New Sally Beauty Breach: Old Intrusion?).

Some experts now say, however, that it's unlikely that the 2014 and 2015 breaches are connected, and conclude that it's more likely that this newest breach is the result of a remote-access attack, like the one that compromised POS vendor Harbortouch Payments in March.

One threat researcher with direct knowledge about the Harbortouch breach and the 2014 Sally Beauty breach, who asked not to be named, says it's probable that the same attackers that hit Harbortouch also hit Sally Beauty.

But Harbortouch spokesman Nate Hirshberg tells ISMG that Sally Beauty is not a customer of the company, "nor is there any connection between Harbortouch and Sally Beauty."

And a spokesperson for Sally Beauty declined to comment about a possible breach connection, saying the company would not comment on speculation.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.