Sally Beauty Holdings yesterday announced that it has “received reports of unusual activity involving payment cards used at some of our U.S. Sally Beauty stores.”
“Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts while working to ensure our customers are protected,” the company added.
A Sally Beauty employee told Krebs on Security’s Brian Krebs that the company also recently told its associates to tell customers with credit card issues to visit the comapany’s website or call customer service. “We hadn’t gotten an email like that since last year when we had our breach,” the employee said.
A previous breach at Sally Beauty, disclosed in March of 2014, affected less than 25,000 credit cards used at locations across the U.S.
And the Hard Rock Hotel & Casino Las Vegas last week announced that hackers accessed customer names, credit card numbers, expiration dates and CVV codes for credit and debit card transactions between September 3, 2014 and April 2, 2015 at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property.
“We immediately responded upon learning of a potential security issue, engaging outside information security experts to investigate and implementing additional security measures,” the hotel said in a statement. “At the same time we alerted law enforcement authorities of the criminal attack. The attack was contained on April 2, 2015.”
All those affected are being offered one year of free access to Experian’s ProtectMyID Elite service.
Tripwire senior security analyst Ken Westin told eSecurity Planet by email that there are two key lessons to be learned from these breaches. “First, attackers are adapting their methods and the sophistication of their tools,” he said. “Second, many retailers have yet to invest in detection and haven’t yet adapted their defenses to detect these very real threats.”
“The retail industry as a whole needs to move to point-to-point encryption (P2PE), which can come at a heavy cost because it often requires an overhaul of existing payment systems, so this is not something that will happen quickly,” Westin added.
The points of intrusion for these types of breaches, Westin said, remain relatively constant: attackers either leverage exploits against known vulnerabilities, or they conduct spear phishing campaigns.
“Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches,” Westin said. “These include configuration changes, unauthorized processes, credit card data appearing on the file systems, RAM or anywhere outside the PCI environment.”