U.S. beauty supply chain Sally Beauty is apparently the latest victim of a credit card data breach, according to security blogger Brian Krebs, who discovered a new batch of credit card numbers for sale in an underground cybercrime market that had recently been used at Sally Beauty stores.
A spokesperson for Sally Beauty said the company is investigating an intrusion of its network, but found no evidence that credit card numbers had been breached. However, several banks contacted by Krebs said they had made targeted purchases of credit card numbers from the recent online “dump” by cybercriminals to find a common source for the stolen card data — which pointed them back to Sally Beauty stores.
“All of the banks reported fraud occurring on cards shortly after they were used at Sally Beauty, in the final week of February and early March,” Krebs reported.
While there are few details of how many records from Sally Beauty may have been breached, there are more than 280,000 card numbers for sale in the same batch, according to Krebs.
The news of the likely data breach of Sally Beauty broke on Wednesday, the same day retail giant Target announced that its chief information officer was stepping down in an effort to reassure customers and shareholders. Target is still dealing with the fallout of its enormous data breach of at least 40 million payment card records before Christmas last year. Several million more credit card records were stolen from retailers Neiman Marcus and Michaels during the same period.
“It would be a reasonable conclusion that something similar to what happened at Neiman Marcus and Target occurred at Sally Beauty Supply,” Sophos security expert Chester Wisniewski said in an interview with TopTechNews.com.
Target and Neiman Marcus were victimized by what is known as RAM scraping malware, a type of malware loaded onto point-of-sale systems that steals the card numbers while they are unencrypted at the register.
According to Chet, the rash of recent credit card breaches at U.S. retailers is a clear demonstration of the problem of U.S. card issuers using old magnetic strip cards, rather than the more secure chip and PIN technology employed by card issuers in Europe and many other countries.
“While retailers certainly have a responsibility to customers and shareholders to prevent this type of theft, the best way to solve the problem is to stop using 16 digits as if they are a secret code that unlocks people’s bank accounts,” Chet tells TopTechNews.com. “The card industry itself has at least as much responsibility for resolving this problem as the merchants.”