Sally Beauty: When one Breach Begets Another
The beauty supply store acknowledged today that it was the victim of yet another data breach – the second in as many years. But where does one incident end and another begin?
Sally Beauty acknowledged on Thursday that it has been the victim of a data breach: the second to affect the company in just over a year.
The beauty products seller notified customers earlier this month that it was investigating reports of unusual activity on payment cards used at some of its U.S. locations. On Thursday it acknowledged a breach in a statement by CEO Chris Brickman.
“We believe it is in the best interests of our customers to alert them that we now have sufficient evidence to confirm that an illegal intrusion into our payment card systems has indeed occurred. However, we will not speculate on the scope of the intrusion as our forensics investigation is still underway,” said Brickman. “We are working diligently to address the issue and to care for any customers who may have been affected by the incident.”
The official acknowledgement comes ten days after the web site KrebsonSecurity.com raised the specter of a breach at the Denton, Texas, firm. Writing on May 4, Brian Krebs said that financial institutions were reporting a “pattern of fraudulent activity” with Sally Beauty at the center.
That would be the second breach in as many years. In 2014, the company acknowledged that it was the victim of hackers who compromised point of sale systems with malware that stole customer credit cards.
Sally Beauty sells and distributes products through 4,900 stores in North America, South America and Western Europe.
But is the Sally Beauty leak truly a second incident, or simply a continuation of the earlier, 2014 breach? It’s not clear, but Sally Beauty’s response to the 2014 breach should certainly make ‘incomplete incident response’ at least a plausible explanation of how a major US corporation gets breached twice in two years.
Among the red flags is a dispute over the size of the 2014 breach. While Krebs initially reported the breach affecting as many as 260,000 customers. Sally Beauty would confirm only a much smaller incident, saying just 25,000 customer accounts were compromised. Sally Beauty didn’t offer any explanation for the discrepancy in the number of affected customers.
Writing last week, however, Krebs quoted a former Sally Beauty employee “Blake Curlovic,” saying that the company had reason to know the 25,000 figure was bogus (“Curlovic” appears to have been a false name). Quoting “Curlovic,” Krebs wrote that a Secret Service investigation suggested that “260,000 was probably on the low end,” and the number “should have been closer to around a million, based on the number of credit transactions Sally Beauty had daily.”
The Krebs story paints an unflattering portrait of Sally Beauty as a company that leaned heavily on a single IT security vendor, TripWire, and then was unable to respond when that vendor’s technology made it clear that malicious actors had compromised the company’s network.
Among other things, Curlovic disclosed that Sally Beauty was unable to thwart an unsubtle malware attack that distributed FrameworkPOS – malicious, data stealing software – to some 6,000 point of sale systems used by the company, even after that malware malfunctioned, interfering with the operation of Net logon, a service that allowed point of sale terminals to communicate with the corporation’s network. One possible reason that more credit card numbers were not stolen, in other words, may be that the attackers botched their build of FrameworkPOS – the cyber criminal equivalent of the gun jamming.
In such an environment, it’s entirely plausible to believe that the attackers behind the first breach maintained a toehold on Sally Beauty’s corporate network and then exploited that months later, when the coast was clear.
So is that what happened? It’s hard to know. What is clear is a pattern of lackluster response to cyber incidents at this retailer. In both the March 2014 breach and the incident this month, it took Sally Beauty more than a week to even confirm that an incident had taken place and that customer data had been stolen. While it’s understandable that a company might want to wait to speculate on the size and extent of an incident, taking a full week to even confirm that data has left the company’s network seems excessive.
And, in both incidents, Sally Beauty has been reluctant to come clean with what it knows about the extent of the breach of its network. As noted: the company would admit only to information on 25,000 customers being stolen in the March 2014 incident, despite ample evidence to the contrary from banks and credit card firms.
In its statement yesterday, Sally Beauty’s CEO declined to “speculate on the scope of the intrusion as our forensics investigation is still underway.” If the pattern holds true, the results of that forensic investigation will never see the light of day, unless prompted by regulators or customer lawsuits.
The fact is: nothing about the hack of Sally Beauty is that unusual. Mr. Krebs theorizes – probably correctly – that the firm was simply another notch on the belt of Russian and Ukrainian cyber criminals who carried out similar attacks on retailers last year. Getting hacked, these days, is no sin. But organizations distinguish themselves not just by how well they fend off attackers, but by how well they handle the fallout of (inevitable) breaches. On that score, Sally Beauty isn’t likely to wear the pageant crown any time soon.
Paul F. Roberts is the Editor in Chief of The Security Ledger.