Sally Beauty Supply today announced that credit card data was stolen from its systems in a breach the company had previously described on March 5, 2014 as only an “attempted intrusion” that had been “mitigated” (h/t KrebsOnSecurity).
On March 5, the company had simply stated, “Recently, our systems detected an attempted intrusion into our Sally Beauty Supply LLC network, and we believe we promptly mitigated potential issues arising from this intrusion. As a result of our ongoing investigation, which included assistance from a top-tier security firm, we have no reason to believe there has been any loss of credit card or consumer data.”
Today, however, Sally Beauty?acknowledged, “[W]e have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed.”
In a FAQ, the company clarified, “At this time, we believe card-present payment card data — customer name, credit or debit card number, and the card’s expiration date and CVV — was affected. We do not believe that sensitive information, (other than card numbers) such as Social Security numbers or dates of birth, was compromised as part of this issue. In addition, Sally Beauty does not collect PIN data and, therefore, it should not be at risk.”
Still, KrebsOnSecurity’s Brian Krebs suggests that the actual number of stolen cards may be much higher — a large batch of stolen credit cards not tied to last year’s Target breach were found to have been recently used at Sally Beauty Supply locations.