International beauty-supply retailer Sally Beauty Supply said an investigation of a hacking attempt has revealed less than 25,000 records with payment card data was accessed.
Customer name, credit or debit card number, and the card’s expiration date and security code were affected by the breach, Sally Beauty released. Other than card numbers, “We do not believe that sensitive information such as social security numbers or dates of birth, was compromised as part of this issue,” said Denton, Texas-based Sally Beauty Holdings, in a statement.
“As experience has shown in prior data-security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation,” the retailer added. “As a result, we will not speculate as to the scope or nature of the data security incident.”
On March 5 Sally Beauty said it detected a data breach and enlisted the help of forensics firm Verizon. At the time the retailer said there was “no reason to believe there has been any loss of credit card or consumer data.”
Sally Beauty said it continues to work with Verizon as well as the US Secret Service.
The retailer will continue to post updates about the investigation. “We will be providing appropriate notifications to affected consumers and others, as necessary, as the facts develop and we learn more,” Sally Beauty said.
On the same day Sally Beauty went public with the possibility of a data breach, Brian Krebs of Krebs on Security reported a fresh batch of 282,000 stolen credit and debit cards went on sale on a popular underground crime store and three banks made targeted buybacks of the cards. Each bank determined all of the purchased cards were used within the last 10 days at Sally Beauty Supply.
Sally Beauty said it is conducting a review of all payment-card information systems while removing all malware, reviewing intrusion-detection systems and firewalls, reinforcing security tools and modifying software and security credentials.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
