Sally Beauty Supply said its early March data breach is worse than originally thought.
Denton, Texas-based Sally Beauty Holdings announced it had detected a possible breach on March 5 and said later an investigation revealed it was hacked but less than 25,000 records with payment card data were accessed.
“We now understand that a larger number of additional records containing payment card data may have been illegally accessed and removed from our systems,” Sally Beauty said in an updated statement.
The international beauty-supply retailer previously told Advisen it could not comment on whether it had cyber insurance.
Sally Beauty gives no additional information on its data breach other than: “The scope of the incident has not been fully determined,” and the retailer will “not speculate on the scope.”
On the same day Sally Beauty went public with the possibility of a data breach, Brian Krebs of Krebs on Security reported a fresh batch of 282,000 stolen credit and debit cards went on sale on a popular underground crime store and three banks made targeted buybacks of the cards. Each bank determined all of the purchased cards were used within the last 10 days at Sally Beauty Supply.
Sally beauty said it is offering a free year of credit monitoring and identity-theft protection to affected customers.