14 DAY TRIAL // Sally Beauty, one of the largest suppliers of professional beauty products in the world, confirmed on Thursday that its card payment processing systems had been compromised by an unknown attacker.
The news comes after an investigation was started more than a week ago, following reports of fraudulent charges for cards used by customers at Sally Beauty locations in the US.
This would be the second card breach at Sally Beauty, in little over a year. In the previous incident, disclosed in March 2014, card records of 25,000 customers were stolen.
The investigation has not completed
The investigation is ongoing, but the company has determined that the initial suspicions were true and that an unauthorized third party had breached the payment card systems.
However, Sally Beauty does not provide any details regarding the motivation of the intruders as the forensic examination is still to be completed, says Chris Brickman, President and CEO of the company.
“Our customers are our top priority and we regret any frustration or inconvenience this illegal breach may cause them. I want to thank them for their patience and support as we continue to work hard to correct this issue,” he added in an official statement released on Thursday.
Security blogger Brian Krebs learned from several financial institutions last week that illegal transactions had been recorded on cards used at multiple Sally Beauty locations in the US.
Number of impacted customers has not been disclosed
Sally Beauty sells and distributes products through 4,900 locations, most of them in the US. There are about 200 franchised units present outside the US too, scattered across the world, in countries such as the UK, Belgium, Chile, Colombia, Peru, France, the Netherlands, Puerto Rico, Mexico, Spain, and Germany.
The total annual revenue from its activity via the Sally Beauty Supply (offers products through professional lines like Clairol, L’Oreal, Wella and Conair) and Beauty Systems Group (branded as CosmoProf and Armstrong MacCall stores) businesses amounts to $3.8 / €3.33 billion.
At the moment, there is no information on the locations that have been impacted by the incident or the number of customers whose card data has been exposed, but Brickman says clients will not be liable for any fraudulent transactions resulting from the breach.
"Much like a chain, a network is only as strong as its weakest links, and it’s very clear now that we face persistent thieves, organised like ants, who will find whatever we leave open to take," said Mike Lloyd, CTO at RedSeal via email.
We have contacted Sally Beauty through their media relations company for more details on the matter, but we are still to receive an answer.