The African American Cyber Report reported in March of 2014 of a data breach at Sally Beauty Supply stores. So here we go again!
One year later Sally Beauty Supply is again revealing that a network intrusion exposed customer payment card data and is now investigating fresh breach reports. Sally Beauty has over 4,800 U.S. stores reporting 2014 revenue of $3.6 billion.
Sally Beauty first began to receive warnings of a possible breach during the week of April 27th . In a May 4th announcement store executives admitted to investigating “unusual” card activity linked to payment cards used at some of its U.S. stores.
“Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts, while working to ensure our customers are protected. Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident; but we will continue to work vigilantly to address any potential issues that may affect our customers.”
The beauty supplier vowed to provide additional updates “in the coming days” via its website and directly to affected customers. “We will be providing notifications to any affected consumers and others, as appropriate, as the facts develop and we learn more.” The chain also requested that any customer who discovers fraudulent activity that they believe relates to Sally Beauty should contact its customer service hotline after alerting their card issuer or bank.
Cyber security experts point out the suspecious timing of the second data breach. George Rice, senior director of payments for data-encryption firm HP Security Voltage pointed out, “Sally Beauty experienced two breaches within a short period of time. It is entirely possible that Sally Beauty never fully eradicated the malware on their POS from the first time.”
John Buzzard, head of card-alert service at analytics software company FICO, agrees stating “We are all really perplexed when we see breaches that appear to the naked eye to be a repeat situation.” Buzzard continues, “As Sally’s story line evolves, we may learn that the level of customization in the malware that allegedly affected them in 2014 was so complex that it was able to evade a stringent mitigation process. I can’t ascertain if lightning did, indeed, strike twice here; so it’s just a waiting game to see how this can be explained.”
A Sally Beauty spokesman told the Information Security Media Group that “it would be premature to speculate” about whether the 2014 and 2015 breach reports might be linked, and declined to detail which digital forensics investigation firm it brought in to investigate the latest breach reports. The 2014 breach was investigated by Verizon .
The question most customers have is; why did this happen again? In the company’s 2014 annual report, released in November, Sally executives noted the company had a number of information security defenses in place. “We have physical, technical and procedural safeguards in place that are designed to protect information and protect against security and data breaches as well as fraudulent transactions and other activities,” it said. “Despite these safeguards and our other security processes and protections, we have been a victim of cyber-attacks and data security breaches, including a breach that resulted in the unauthorized installation of malware on our information technology systems that may have illegally accessed and removed a portion of payment card data for certain transactions.”
Tripwire senior security analyst Ken Westin says there are steps all retailers need to take, not just ones that have suffered a Point-Of-Sale malware attacks. These steps will allow retailers to safeguard themselves against online attacks, as well as to rapidly detect unfolding breaches. Those include keeping a close eye on all data regulated by the Payment Card Industry Data Security Standard. “Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches,” he says. “These include configuration changes, unauthorized processes and credit card data appearing on the file systems, RAM or anywhere outside the PCI environment.”