May 4, 2015

For the second time in a year, nationwide beauty products chain Sally Beauty Holdings Inc. says it is investigating reports of unusual credit and debit card activity at some of its U.S. stores.

Last week, KrebsOnSecurity began hearing from multiple financial institutions about a pattern of fraudulent charges on cards that were all recentlysally used at Sally Beauty locations in various states. Reached for comment on Sunday about the fraud pattern suggesting yet another card breach at the beauty products chain, Sally Beauty issued the following statement this morning:

“Sally Beauty Holdings, Inc. is currently investigating reports of unusual activity involving payment cards used at some of our U.S. Sally Beauty stores. Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts while working to ensure our customers are protected. Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident, but we will continue to work vigilantly to address any potential issues that may affect our customers.”

Their statement continues: “Consistent with our ‘Love it or Return It’ policy, customer security and confidence remains our number one priority. As a result, we encourage any customer who is concerned about the security of their payment cards to call our Customer Service Hotline at 1-866-234-9442, so that we can assist them in addressing any potential concerns. Sally Beauty will, as appropriate, provide updates as we learn more from our investigation.”

In addition, the company also sent out an urgent alert today to its employees, asking associates to direct any customers with credit card issues to the Sally Beauty Web site or to call customer service. “We hadn’t gotten an email like that since last year when we had our breach,” the Sally Beauty employee said on condition of anonymity.

On March 5, 2014, this publication first reported that a batch of more than 282,000 cards that went up for sale on Rescator[dotc]cc — the same site that was first to sell cards stolen in the Home Depot and Target breaches — all traced back to customers who’d shopped at Sally Beauty locations nationwide. Asked about that pattern at the time, a company spokesperson said Sally Beauty had recently detected an intrusion into its network, but that neither its information technology experts nor an outside forensics firm could find evidence that customer card data had been stolen from the company’s systems.

But on March 17, 2014, Sally Beauty officially confirmed a breach of its network, but said its investigation determined that fewer than 25,000 card accounts were removed from its network. Nevertheless, a subsequent, exhaustive analysis of the Sally Beauty store ZIP codes listed in the cards for sale on Rescator’s site indicated that the 2014 breach impacted virtually all 2,600+ Sally Beauty locations nationwide.

Sally Beauty is not alone in dealing with separate card compromise incidents in a short period of time. Last month, hotel franchise management firm White Lodging disclosed that for the second time in a year, hackers had broken into point-of-sale systems at food and beverage outlets inside of many of its franchise locations.

It is possible that Sally Beauty locations are feeling the brunt of a large number of compromises at point-of-sale vendors, such as the recently announced breach among Harbortouch POS customers. However, at least two banks contacted by this author say the cards they were alerted to by Visa and MasterCard that correspond to the Harbortouch incident have very little overlap with the customer cards that were hit with fraudulent charges in the wake of their use at Sally Beauty locations recently.

27 thoughts on “Sally Beauty Card Breach, Part Deux?

  1. Robert.Walter

    Looks like they failed with fulfilling their “number one priority”..,

  2. Donald J Trump

    Looks like they didn’t take breach security seriously the first time around.

  3. JCitizen

    Hmm?! The disconnect between Harbortouch and Sally Beauty locations leaves me wondering what characteristics about their situation that makes one POS system or vendor more of a problem than at other merchants?

  4. mbi

    For small purchases maybe its cash is king again. Buy a tube of lipstick and you are spending days straightening out your bank account.

  5. Dave Newbern

    More important here, is what Sally Beauty failed to learn the first time around. What was their failure to correct the first problem and then not learn about how to better protect themselves and their customers?

    Hard to keep customer loyalty when this happens two times in a row!

    It would be interesting to know if the lowest cost credit card equipment and the lowest cost security consultants were used by this company. In any event, the security organizations helping Sally Beauty need to try harder to give better advice. It could be the company didn’t listen to the experts!

  6. rpz

    What are the methods being used to hack the POS systems?

      1. CJD

        Unless of course you use whitelisting to prevent malware from ever running on the POS, or you use end to end encryption so that all they gain is encrypted card data.

        But those cost money, and retail runs on tight margins.

        1. Johnny

          1000 copies of bit9 costs $24,000 so we are not talking a lot of money for whitelisting. About the same as useless Symantec SEP.

          1. Arc

            That’s the cost of the license, but the installation, policy creation and management will certainly cost much more to the business. We could be talking more full time staff or managed sec services

            Not an undue cost and not without benefit, of course. But if the organization doesn’t respect the need for controls it goes into monitor mode without anyone watching

          2. Michael Fourdraine

            Not all whitelisting / endpoint products work on all POS systems. Even if you had the willingness there may be compatibility / functionality issues.

            1. Greg Scott

              Re: Alex – “Whitelisting isn’t that difficult to get around. It’s about as effective as today’s anti-virus in most cases.”

              You could do a pretty good whitelist and keep it safe.

              Put those POS systems behind their own firewall and put the whitelist in the firewall ruleset. Now the make/model of the POS system doesn’t matter and any compatibility issues go away.

              The only way I can think of for a bad guy to break that would be to first penetrate the network, then penetrate the firewall. Penetrate the network with a typical phishing scheme. The inside of the “main” firewall is easy to find, although you could put in a 2nd box to guard the POS systems instead of just a subnet of the “main” firewall. But presumably access to that system is limited to only a few pros, so a phishing attack would need to be really really good. And brute force or dictionary attacks should be easy to guard against.

              So you put the POS systems behind a Linux box with a good iptables ruleset and you have another layer of defense without spending a fortune. I don’t see any downside.

      2. Alex

        Whitelisting isn’t that difficult to get around. It’s about as effective as today’s anti-virus in most cases.

        1. Yuri Tarded

          “Whitelisting isn’t that difficult to get around. It’s about as effective as today’s anti-virus in most cases.”

          I disagree with that!!! Of course you still have to patch whitelisted apps and considering how incompetent some IT Departments are… Well, you know.

  7. CH

    Who was their PFI the first time around?

  8. Some Guy


    This is completely unrelated to the subject matter of your most recent blog post, but this is the only channel I know to alert you to something.

    I hope that you read this. I looked for ways to contact you via e-mail, etc., but they do not seem to be available (or at least not advertised).

    Check out page B4 of the May 4 Wall Street Journal.

    Apparently, the corporate lobbies in DC have convinced both houses of Congress to introduce legislation that overrides state laws, and makes data breaches un-reportable, unless the company that was breached due to their lax security policies “believes there is a risk that the breach would lead to serious identify theft or fraud”.

    This is a huge deal. It’s basically a shutdown of data breach reporting, since it will all be at the discretion of the companies that were breached, with no effective oversight mechanism to ensure appropriate reporting.

    This will avoid the (according to the article) the $145 average cost to breached companies for each record breached. Large companies with lax cyber security are highly motivated to see that this bill passes both houses of congress.

    This needs to be publicized and organized against, as the successful anti-SOPA efforts did. The EFF needs to be made aware and enlisted, as well as all the other consumer-friendly cyber organizations.

    As I discussed with my wife my frustration, with no way to fight this, I realized that you might be the right person to make the right parties aware of this terrible ide that is coalescing in DC.

    Just FYI…

  9. Anonymous

    Their main security analysts consist of a former TD Bank CISO, whom under his watch experienced a data breach and loss of 260,000 (all) customer records, a person who worked with him, a retirement age former IBM contractor, a Quality Assurance analyst, and a church videographer…

    Are we really surprised this happened to a multi-billion (4+ billion) dollar company who entrust their security to inexperienced security personnel?

  10. rick blaine

    Looks like Sally is anything but “beautiful”? She has egg all over her face and it isn’t a facial treatment.

  11. Greg Scott

    Unbelievable. And inexcusable. How does anybody get nailed twice by the same crime? And the argument that it’s too expensive to isolate those POS systems is hogwash. Yup, here comes the shameless plugs. I build firewalls using a small piece of hardware and Red Hat Fedora for pennies on the dollar versus the over-complicated vendor stuff. The whitelist can go right in the ruleset and the firewall can log and drop any traffic outside the whitelist. Simple and clean. All open source. Writeup right here:

    And for those who still think security is somebody else’s problem, spend $15 and read this book:

    – Grerg Scott

  12. Richard Steven Hack

    “How does anybody get nailed twice by the same crime?”


    “You can haz better security, you can haz worse security. But you cannot haz ‘security’. There is no security. Deal.”

    They just didn’t “deal” hard enough. Meaning they probably spent all their money and effort on “prevention” – which is impossible – probably by buying a new bunch of “blinky lights” hardware at $100,000 a crack – instead of breach detection and remediation.

  13. Tomi Olivia

    Sheesh. I was ‘bitten’ by them last year (shopped TWICE in the narrow window-of-exposure) and would have never thought it would happen again.
    Replacing a card is a pain. I’m still finding stuff linked to that old card (mainly, online shopping accounts that I seldom use, etc.).
    I never received ANY notification from my CC company OR Sally’s.
    When I mentioned it to one of the store peeps, they got really nervous and acted like I shouldn’t know about it.
    So much for keeping us informed!

    1. James Huntley

      I called their hotline number and was told they are not sure if any customer data was compromised. My card had a fraudulent charge recently and I was calling to see if my data was stolen. Seems like they are backpedaling.

  14. VW

    Any update available on this Sally’s breach? Dates would be most helpful.

    1. nov

      VW, Googling “the investigation is ongoing” + “Sally Beauty” shows national sources saying that the investigation is still ongoing.

Comments are closed.