US cosmetics retail giant Sally Beauty has admitted it may have been hit by another data breach after revealing details of a new investigation into “unusual activity involving payment cards” at some of its stores.
The Texas-headquartered firm released the following brief statement on Monday:
“Sally Beauty Holdings, Inc. is currently investigating reports of unusual activity involving payment cards used at some of our US Sally Beauty stores. Since learning of these reports, we have been working with law enforcement and our credit card processor and have launched a comprehensive investigation with the help of a leading third-party forensics expert to aggressively gather facts while working to ensure our customers are protected. Until this investigation is completed, it is difficult to determine with certainty the scope or nature of any potential incident, but we will continue to work vigilantly to address any potential issues that may affect our customers.”
The company urged any customers concerned about the security of their payment cards to call a hotline number on 1-866-234-9442 or visit the website.
The incident comes just over a year after a major data breach hit virtually all of the retail chain’s 2,600 stores nationwide.
At the time the firm claimed that just 25,000 card accounts were compromised, but commentators upped that estimate to over a quarter of a million after a large trove of card data was dumped onto notorious underground forum Rescator – the same site carders used to buy and sell data from the Target and Home Depot breaches.
"It is easy to think that if hackers have come after you once - and successfully so - that they won't be coming back anytime soon. But this simply isn't the case,” Bloxx CEO Charles Sweeney tol Infosecurity.
“Hackers learn valuable information about potential vulnerabilities and often strike again a little later down the line. To be hacked twice in little more than a year is both unfortunate and embarrassing for Sally Beauty Holdings but clearly highlights the need for constant vigilance in the face of a determined opponent whose key advantage comes in the form of knowledge.”
In a similar set of events, hotel group White Lodging Services last month admitted that it suspected a breach of point-of-sale systems at 10 locations – the second time it had been hit in a year.
“After suffering a malware incident in 2014, we took various actions to prevent a recurrence, including engaging a third party security firm to provide security technology and managed services,” said Dave Sibley, White Lodging president, in a statement.
“These security measures were unable to stop the current malware occurrence on point of sale systems at food and beverage outlets in 10 hotels that we manage. We continue to remain committed to investing in the measures necessary to protect the personal information entrusted to us by our valuable guests. We deeply regret and apologize for this situation.”