Sally Beauty Details POS Malware AttackPayment Card Data Stolen During Six-Week Intrusion
Sally Beauty Supply says that an "illegal intrusion" resulted in access to point-of-sale systems at some of its U.S. stores for a six-week period beginning in March (see Sally Beauty Confirms Second Breach).
In a May 28 statement, the company details the results of a third-party digital forensics investigation, which finds that attackers injected malware into multiple POS systems at Sally Beauty's U.S. stores at various points between March 6 and April 17. "Payment card information of customers that used cards at affected U.S. Sally Beauty stores during this time may have been put at risk," it says.
Sally Beauty has not disclosed whether it believes the POS malware was installed physically or by hackers remotely (see Why POS Malware Still Works). But the company reports that it has now eliminated the malware "from all Sally Beauty point-of-sale systems." The company notes in a FAQ that payment card data appears to have been stolen, including customers' name, credit or debit card number, expiration date, cardholder verification value - not the three-digit security code on the reverse of the card - and service code. Sally Beauty notes that it does not collect or store PIN data, and thus "has no reason to believe, and has received no information to suggest, that debit card PINs may have been impacted."
Sally Beauty is a Denton, Texas-based retailer that reported 2014 revenue of $3.8 billion, and which operates more than 4,900 stores worldwide.
"We regret any inconvenience this incident may have caused our customers, and we want to reassure them that protecting our customers is our priority," says Sally Beauty President and CEO Chris Brickman. "Because we cannot pinpoint exactly which cards might have been affected during our reported date range, we are offering credit monitoring services to any customer who used their payment card at a U.S. Sally Beauty store between March 6th and April 17th of 2015." More information is available via the Sally Beauty website, which also details email and telephone contact points.
The company did not specify how many of its U.S. stores may have had malware-infected POS systems, or the number of customers or payment accounts that may have been affected. Reached for comment, a spokesman referred to the statement published on the Sally Beauty website.
Still, the malware-attack report from Sally Beauty has been swift by most data breach notification standards, arriving just four weeks after the company said it first learned of the attacks. The company is also highlighting the breach notification via a prominent "Sally Beauty Data Security Incident Update" link at the top of its homepage.
Sally Beauty first released related public alerts about the apparent intrusion on May 4, saying that it was investigating "reports of unusual activity involving payment cards" used by customers at some of its U.S. stores, and noting that it first received related warnings during the week of April 27. In a subsequent, May 14 warning, Brickman reported that "we now have sufficient evidence to confirm that an illegal intrusion into our payment card systems has indeed occurred."
The breach follows Sally Beauty confirming in 2014 that a network intrusion exposed payment card data for 25,000 customers' accounts. That led some industry watchers to question whether the 2015 breach resulted from the retailer failing to fully eradicate the 2014 POS malware infections. But multiple information security experts have told Information Security Media Group that they think it is unlikely that the same group of hackers struck Sally Beauty twice (see Are Sally Beauty, Harbortouch Breaches Linked?).