About 25,000 sensitive customer card data records were illegally accessed. And some of them are being sold by the same outlet that fenced breached Target cards.
That data includes Track 2 data, which is the information used by ATMs and point-of-sale software to authorize purchases, and it usually includes encrypted PINs. The other information includes customers’ names, credit and debit card numbers, and CVV code on the back of the card. Social security numbers or dates of birth were likely not breached.
The Texas-based company said that it has engaged the Verizon forensics team to get to the bottom of the compromise, and is working with the US Secret Service on a preliminary investigation into the matter.
The number of compromised records could end up being greater, and the company so far has few details on how the breach occurred. Sally Beauty maintains some 2,600 stores, and the company has stores in every USstate, making it a somewhat broad target. “As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation,” the company said in a statement on the website. “As a result, we will not speculate as to the scope or nature of the data security incident.”
However, security researcher Brian Krebs said earlier in the month that as many as 282,000 records could have been compromised.
“On March 2, a fresh batch of 282,000 stolen credit and debit cards went on sale in a popular underground crime store,” he wrote. “Three different banks contacted by KrebsOnSecurity made targeted purchases from this store, buying back cards they had previously issued to customers.”
For instance, Rescator, a dark web “card shop” that traffics stolen information, was advertising a batch, all of which had been recently used at Sally Beauty stores.
Krebs said that all indicators pointed to a very recent heist at the point-of-sale (PoS). “Stolen cards fetch quite high prices when they are first put on the market, but those prices tend to fall as a greater percentage of the batch come back as declined or canceled by the issuing banks,” he explained. “Thus, the ‘valid rate’ advertised by the fraudsters selling these cards acts as an indicator of the recency of the breach, because as more banks begin noticing fraud associated with a particular merchant, many will begin proactively canceling any cards used at the suspected breached merchant.”
The stolen card info from the Sally Beauty breach were being advertised as “98% valid.” In contrast, the valid rate for cards associated with the Target breach has now “fallen precipitously (along with the prices of the stolen cards themselves),” Krebs noted.
Rescator, which appears to be the work of someone in Odessa, Ukraine, appears associated with both the Target and Sally Beauty breaches.
“In my previous sleuthing, I reported that a miscreant using the nickname Rescator (and an online card shop by the same name) was among the first — if not the first — to openly sell cards stolen in the Target breach,” said Krebs. “Further tying the Target breach to Rescator, forensic investigators also found the text string ‘Rescator’ buried in the guts of the malware that was found on Target’s systems.”