New Sally Beauty Breach: Old Intrusion?Fresh Fraud Reports Follow 2014 Breach
One year after Sally Beauty Supply revealed that a network intrusion exposed payment card data for 25,000 customers' accounts, the beauty products supplier has warned that it is now investigating fresh breach reports.
In a May 4 statement, Sally Beauty says that it is investigating new, "unusual" card activity linked to payment cards used at some of its U.S. stores. Sally Beauty says it first began to receive related warnings during the week of April 27.
"Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts, while working to ensure our customers are protected," the company notes. "Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident; but we will continue to work vigilantly to address any potential issues that may affect our customers."
Sally Beauty, a Denton, Texas-based retailer that reported 2014 revenue of $3.8 billion, operates more than 4,800 stores worldwide.
The beauty supplier has promised to issue additional updates "in the coming days" via its website, as well as directly to affected customers. "We will be providing notifications to any affected consumers and others, as appropriate, as the facts develop and we learn more," it says. It also requested that any customer who discovers fraudulent activity that they believe relates to Sally Beauty should contact its customer service hotline after alerting their card issuer or bank.
Lightning Strikes Twice?
Numerous security experts note that the timing of the second breach report is - at the very least - curious. "Sally Beauty experienced two breaches within a short period of time. It is entirely possible that Sally Beauty never fully eradicated the malware on their POS from the first time," says George Rice, senior director of payments for data-encryption firm HP Security Voltage.
John Buzzard, who heads up the card-alert service at analytics software company FICO, also questions the timing of the latest report, and whether POS malware may have lingered. "We are all really perplexed when we see breaches that appear to the naked eye to be a repeat situation," Buzzard says. "As Sally's storyline evolves, we may learn that the level of customization in the malware that allegedly affected them in 2014 was so complex that it was able to evade a stringent mitigation process. I can't ascertain if lightning did, indeed, strike twice here; so it's just a waiting game to see how this can be explained."
Another attack possibility is that even if the POS malware was eradicated, hackers may have still maintained undiscovered backdoor access to Sally Beauty's IT infrastructure. Telecommunications and networking giant Nortel, for example, failed to fully eradicate a 2000 breach, and attackers continued to enjoy access to technical reports and corporate secrets for the next decade. Nortel ultimately declared bankruptcy and ceased operations.
Waiting for More Details
A Sally Beauty spokesman tells Information Security Media Group that "it would be premature to speculate" about whether the 2014 and 2015 breach reports might be linked, and declined to detail which digital forensics investigation firm it brought in to investigate the latest breach reports. In 2014, the company hired Verizon to investigate the breach.
One challenge with analyzing the scant breach details shared May 4 by Sally Beauty is that the retailer released little information about its previous breach as well. On March 17, 2014, Sally Beauty reported: "We have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed."
The company added at the time that in response to that 2014 breach, it was "searching for and removing all malware we discover on our systems." But it provided few additional details. "As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation," it said. "As a result, we will not speculate as to the scope or nature of the data security incident."
Subsequently, in its 2014 annual report, released in November, the company noted that it had a number of information security defenses in place. "We have physical, technical and procedural safeguards in place that are designed to protect information and protect against security and data breaches as well as fraudulent transactions and other activities," it said. "Despite these safeguards and our other security processes and protections, we have been a victim of cyber-attacks and data security breaches, including a breach that resulted in the unauthorized installation of malware on our information technology systems that may have illegally accessed and removed a portion of payment card data for certain transactions."
Payment Card Security Shortcomings
Ken Westin, senior security analyst at security software vendor Tripwire, says there are a number of steps that all retailers - not just ones that have suffered a POS malware attack - should be taking to safeguard themselves against online attacks, as well as to rapidly detect unfolding breaches. Those include keeping a close eye on all data regulated by the Payment Card Industry Data Security Standard. "Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches," he says. "These include configuration changes, unauthorized processes and credit card data appearing on the file systems, RAM or anywhere outside the PCI environment."
In the bigger picture, however, one challenge faced by Sally Beauty and other retailers is the poor security of the U.S. payment card infrastructure, Westin says. "The retail industry as a whole needs to move to point-to-point encryption - P2PE - which can come at a heavy cost, because it often requires an overhaul of existing payment systems. So this is not something that will happen quickly."