Sally Beauty Confirms Card Data Breach

Nationwide cosmetics and beauty retailer Sally Beauty today confirmed that hackers had broken into its networks and stolen credit card data from stores. The admission comes nearly two weeks after KrebsOnSecurity first reported that the company had likely been compromised by the same criminal hacking gang that stole 40 million credit and debit cards from Target.

The advertisement run by thieves who stole the Sally Beauty card data.

Previously, Denton, Texas-based Sally Beauty had confirmed a breach, but said it had no evidence that card data was stolen in the break-in. But in a statement issued Monday morning, the company acknowledged it has now discovered evidence that “fewer than 25,000 records containing card present (track 2) payment card data have been illegally accessed on our systems and we believe have been removed.” Their statement continues:

“As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security incident.”

“We take this criminal activity very seriously. We continue to work diligently with Verizon on this investigation and are taking necessary actions and precautions to mitigate and remediate the issues caused by this security incident. In addition, we are working with the United States Secret Service on their preliminary investigation into the matter.”

On Mar. 5, this blog reported that hackers appeared to have broken into Sally Beauty’s network and stolen at least 282,000 cards from the retailer. That conclusion stemmed from purchases made by several banks at an archipelago of fraud sites that have been selling cards stolen in the Target breach. The first new batch of non-Target cards sold by this fraud network — a group of cards marketed under the label “Desert Strike” — all were found by three different financial institutions to have been recently used at Sally Beauty stores nationwide.

In a FAQ that accompanies today’s announcement, Sally Beauty declined to speculate whether data from its online stores was compromised, but stressed that so far the breach is known to involve “card present” data — specifically the data stored on the magnetic strip on the backs of cards. Thieves prize this data because it allows them to create counterfeit cards and use them to go shopping in big box stores for high-priced merchandise, gift cards and other items that can be resold quickly for cash.

In a fascinating and timely development, the main fraud shop that has been selling cards stolen in the Sally Beauty breach — rescator[dot]so — was recently hacked, its entire database of customers’ (read: fraudsters) usernames and passwords dumped online. Then, sometime on Sunday, the site’s homepage was defaced, with a message to this author and to the proprietors of the fraud shop:

The site principally responsible for selling Sally Beauty cards — as well as millions of cards stolen from Target — was defaced this weekend.