Sally Beauty: No Data Lost in AttackRetailer Acknowledges POS Network Was Hit
Despite certain evidence that suggests a possible breach at Sally Beauty Supply, the retailer maintains that a recent cyber-attack against its point-of-sale network did not expose card data.
"As a result of our ongoing investigation, which included assistance from a top-tier security firm, we have no reason to believe there has been any loss of credit card or consumer data," Sally Beauty says in a statement issued March 5. "We will continue to investigate and actively monitor this situation."
Asked to provide an update on March 6, a company spokesperson told Information Security Media Group: "Nothing's changed. There's no reason to believe there's been any compromise of customer data or credit card data."
Sally Beauty operates approximately 4,500 stores worldwide and had $3.6 billion in sales in 2013.
Four card issuers tell Information Security Media Group they've seen evidence of fraud tied to cards that were used at Sally Beauty, as well as other retailers. But they say it's too soon to definitively say whether cards were exposed in a breach of Sally Beauty's POS network because consumers use cards at so many different retailers.
Fraud expert Avivah Litan of Gartner Research says she's also hearing from card issuers that "there are indicators that card data was compromised" for cards used at Sally Beauty.
On March 2, a fresh batch of account details for 282,000 stolen credit and debit card went on sale in an underground crime store, according to security blogger Brian Krebs. Three different banks contacted by Krebs made targeted purchases from the underground store, buying back information for some cards previously issued to customers. The banks reported that those cards had been used within the last 10 days at Sally Beauty locations across the U.S.
On Feb. 28, the Secret Service confirmed to Bloomberg News that it was investigating a potential attack against Sears. But in a statement to Information Security Media Group, Sears said its internal investigation had so far found no indication that its network had even been attacked, much less breached.
In late January, card issuers reported that fraudulent card activity also suggested a breach at Texas-based arts and crafts retailer Michaels. Michaels said it was investigating the claims, although no evidence of a breach had yet been detected.
On Dec. 23, Target confirmed malware was to blame for an infection of its point-of-sale system that likely exposed details associated with 40 million debit and credit cards between Nov. 27 and Dec. 15. The breach also affected personal information on up to 70 million customers.
On Jan. 22, Neiman Marcus acknowledged that a POS breach likely compromised debit and credit transactions dating back to July 2013. Originally, Neiman Marcus estimated some 1 million cards were likely exposed; in late February, however, the retailer issued a revised estimated total of approximately 350,000 compromised accounts. (see: Neiman Marcus Downsizes Breach Estimate).
(News Writer Jeffrey Roman contributed to this story.)