Sally Beauty has confirmed that its payment card systems were recently hacked.
The company says it was alerted to "unusual activity involving payment cards used at some of our U.S. Sally Beauty stores" during the week of April 27, 2015. It then launched an investigation with the help of third-party forensics experts.
"We now have sufficient evidence to confirm that an illegal intrusion into our payment card systems has indeed occurred," Sally Beauty president and CEO Chris Brickman wrote in a letter to customers. "We were deeply disturbed to learn this has potentially affected our customers."
"However, we will not speculate on the scope of the intrusion as our forensic investigation is still underway," Brickman added.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Sally Beauty customers with questions are advised to contact the company at (866) 234-9442.
"Please also be on the lookout for possible attempts from cyber criminals to take advantage of the situation and steal your information by sending fake emails pretending to be from Sally Beauty," Brickman wrote. "We will never ask for your sensitive information and won't include links in any emails about this issue."
The breach had been previously announced, but not confirmed, earlier this month.
Sally Beauty was also hacked just over a year ago, in an incident that exposed just under 25,000 customers' names, credit or debit card numbers, expiration dates and CVV codes.
"Following the 2014 data security incident, we devoted significant time and resources to further strengthen the security of our information technology systems," the company stated recently. "These actions included, among other things, the hiring of a chief information security officer and increased security resources and significant investments in our security systems."
HyTrust vice president Michele Borovac told eSecurity Planet by email that the second Sally Beauty breach illustrates how vulnerable companies continue to be to cyber attacks. "Attackers are getting smarter, and perimeter measures are not enough to stop the kill chain," she said.
"Many of the recent breaches had a common thread: the attacker gained access to administrator credentials," Borovac added. "Organizations must take a fresh look at their internal security systems, processes, and people, and put controls in place to protect these privileged accounts."
Malwarebytes CEO Marcin Kleczynski said by email that the breach makes it clear that the financial industry needs to work harder to improve payment security. "We can do this by employing, or at least experimenting with, numerous security technologies like two factor authentication, Chip and PIN and even dynamic card numbers," he said.
“Our current threat landscape has clearly pointed out the need for security reform in the payment industry, and if something isn’t done soon, we will continue to see breaches that result in serious loss for customers and serious gain (or motivation) for cyber criminals," Kleczynski added.