Sally Beauty Holdings Inc. said it is investigating reports of unusual activity involving the use of credit cards at some of its U.S. Sally Beauty stores.
The company said it is working with law enforcement and its credit card processor. Sally Beauty also noted that it has launched a “comprehensive investigation” and is working with a leading third-party forensics expert to “aggressively gather facts while working to ensure our customers are protected.”
Until the probe is completed, Sally Beauty said it is difficult to determine the scope or nature of the incident.
The latest data incident is the second one in two years for the company. While Sally Beauty hasn’t yet confirmed there was an actual breach in the most recent incident, it did confirm a data breach involving customer card data in March of 2014. Back then, the company said hackers got into its supplier’s network and stole data, such as payment card numbers and the three-digit security codes, belonging to up to 25,000 customers. The personal identification numbers associated with each card account weren’t affected since those are not stored on Sally Beauty’s computer system.
Data breaches have been an issue plaguing retailers for some time now, and it remains an ongoing problem.
In 2007, hackers tapped into TJX Cos. Inc.’s network and stole data from at least 94 million TJX customers. In 2014, Target Corp. offered $10 million to settle a class-action lawsuit filed in connection with a 2013 data breach in November and December that affected 42 million customers, according to court documents, although the number could be as high as 70 million when including the personal data that was also stolen from customer accounts. The collateral damage in that breach is believed to have led to the resignation of Target’s then chairman, president and chief executive officer Gregg Steinhafel. And Neiman Marcus last year hired its first chief information security officer after the luxury chain was hacked between July and October 2013. In the Neiman Marcus data breach, about 1.1 million customer accounts were affected.
Earlier this year, in February, President Obama outlined a framework in an executive order for expanding collaboration between the private sector and government via information-sharing and analysis organizations,” or ISAOs, that act as hubs to coordinate data from various sources. The move is expected to make it easier for retailers and other companies to share information on cyber threats and data-security breaches with the government.
In the latest “2015 Data Breach Investigations Report” from Verizon, published last month, the study noted that there was 79,790 incidents overall, with 2,122 confirmed breaches. Over 70 organizations, with 61 countries represented, contributed information to the latest Verizon study, which is compiled annually.
The study noted that in 2010, malware saw few examples of phishing or RAM-scraping. In 2014, RAM scraping was present in many high-profile retail data breaches in 2014, with many RAM scrapers aimed at point-of-sale systems.
RAM scraping is believed to be the form of malware that was involved in the Target and Neiman Marcus payment card hacks. Information, while encrypted, is vulnerable to “scraping” when it becomes unencrypted during the milliseconds the memory in the point-of-sale systems processes the payment.