Sally Beauty Details Malware Attack That Led to Recent Data Breach

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Sally Beauty Holdings recently provided an update on its investigation into a recent data breach that exposed customer credit card data.

The company had previously announced that it had "received reports of unusual activity involving payment cards used at some of our U.S. Sally Beauty stores" during the week of April 27, 2015, after which it launched what it described as a "comprehensive investigation with the help of a leading third-party forensics expert."

In mid-May, Sally Beauty president and CEO Chris Brickman followed up by stating, "We believe it is in the best interests of our customers to alert them that we now have sufficient evidence to confirm that an illegal intrusion into our payment card systems has indeed occurred. However, we will not speculate on the scope of the intrusion as our forensics investigation is still underway."

Then, on May 28, 2015, Sally Beauty stated that it "can now confirm criminals used malware believed to have been effectively deployed on some of its point-of-sale systems at varying times between March 6th and April 17th, 2015. Accordingly, the payment card information of customers that used cards at affected U.S. Sally Beauty stores during this time may have been put at risk."

Because Sally Beauty doesn't collect or store PIN data, the company said there's no reason to believe debit card PIN numbers were exposed.

The company says it has now eliminated the malware in question from all Sally Beauty point-of-sale systems.

"We regret any inconvenience this incident may have caused our customers, and we want to reassure them that protecting our customers is our priority," Brickman said in a statement. "Because we cannot pinpoint exactly which cards might have been affected during our reported date range, we are offering credit monitoring services to any customer who used their payment card at a U.S. Sally Beauty store between March 6th and April 17th of 2015."

Potentially affected customers who want to access those credit monitoring and identity protection services are advised to contact the company at (866) 234-9442 or customerserviceinquiry@sallybeauty.com.

Sally Beauty was also breached last year in an intrusion the company said exposed "fewer than 25,000" customer names, credit or debit card numbers, expiration dates and CVV codes.

Brad Cyprus, chief of security and compliance at Netsurion, told eSecurity Planet by email that Sally Beauty's acknowledgement that malware was used to compromise its PoS system shouldn't come as a surprise. "This is the way that everyone is being hit, because as we’ve seen during the last two years, it costs nothing for data thieves to attempt to hack a business," he said. "What retailers need to understand is that every business is a worthwhile and valuable target."

Cyprus said the breach also demonstrates that cybercriminals aren't using particularly new or sophisticated methods of attack. "There are solutions to prevent malware attacks, and they include retailers always taking steps to protect a location’s incoming Internet traffic, implementing secure remote access, keeping anti-malware software up-to-date, updating the PoS as security patches are released, and limiting outbound Internet traffic to decrease their chances of becoming the next headline," he said.