Hack Report: Sally Beauty Supply Stores
Sally Beauty Supply Stores
Dates of Breaches: February 2014, March 2014
Number of People Affected: Approximately 25,000 Patrons of over 2,600 stores
Date of Report: March 17, 2014
Sally Beauty Supply Company, a supplier of beauty and cosmetics, was hacked twice: once in February 2014 and again around March 2, 2014.
Hackers broke into their network and stole credit and debit card data - the part that is embedded in the magnetic strip. Brian Krebs, blogger owner at KrebsOnSecurity, to which I subscribe, reported on this breach nearly two weeks before the cosmetic supply company confirmed it.
The results of some detective work by Brian Krebs pointed to the thief as Rescator, a repeat offender who runs a member-only black market website reselling credit and debt card data.
This is the same hacker who infiltrated Target stores netting data from over 40 million credit and debit cards in December 2013 and P F Chang China Bistro, a class action lawsuit mentions upwards of 7 million credit and debit cards involved in their breach.
On March 5, 2014, a fresh batch of 282,000 cards under the batch name "Desert Strike" was put up for sale on Rescator. While Sally Beauty claimed to have only 25,000 in breach, the remainder in this batch came from another breach which the Secret Service have yet to determine. Either a company didn't report their breach, or they haven't detected it yet.
Although they are saying only 25,000 cards were affected, there is more to this story than meets the eye and I'm sure we will hear about this in coming weeks.
This was the official report - No customer cards were stolen
The timing of Rescator's sale advertisement was suspect. The “validity rate” advertised acts as a big tip-off to show how "new" the cards were.
- Showing rates like 97% to 100% means very new data - probably within the previous 24 to 48 hours.
The "validity rate" also tells their buyers that because the cards are so new, they will have little or no worries about being able to use them since they haven't been reported as stolen cards yet.
- As more of that batch shows up as declined or canceled by the card's bank, the validity rate goes down, ultimately rendering the cards useless.
Rescator won't be able to sell them as easily OR for a great deal of money once they are reported or flagged at points of service.
- He will need to unload them at bargain basement prices since most cards will no longer be usable.
- His validity rate will drop and some buyers will buy a batch hoping to get at a handful of good cards and knowing most will be bad cards.
Once a batch of cards (or any part of the batch) is linked to a particular merchant as stolen, the US Secret Service contacts the banks of the credit and debit cards used at that merchant to cancel all of them, rendering the cards AND Rescator advertisements of no value.
Question about credibility
After reading that Sally Supply Stores customer card data showed up on Rescator's website, do you believe the company when they say no customer data had been stolen?
Brian Krebs' Investigation
Brian Krebs is a former reporter for The Washington Post newspaper. When his entire home network was overrun by a Chinese hacking group in 2001, he became obsessed in learning all there was to learn about the underbelly of the hacking world. He is well respected for his knowledge, his results and blogging about his findings.
Brian Krebs notified three banks, who, on his information, purchased a total of 15 cards from the "Desert Strike" batch. They checked their validity with test purchases, then compared the cards to find a common point where they had been used - a merchant where all 15 cards were charged.
That turned out to be Sally Beauty Supply, confirming that the Desert Strike batch held part or all of their stolen data.
Cards (and card data) were advertised at about $18 for a pre-paid Visa to as much as $150 for American Express card, Platinum, and frequent flyer mile type cards.
Sally Beauty hired Tripwire and Verizon Enterprise Solutions to detect their intrusion which was narrowed down to the last week of February and part of March 2014.
The timing of Rescator's quickly advertised sale corresponds with dates of Sally Beauty's intrusion. All three banks which Brian Krebs contacted began to report fraudulent activity on many cards that were used at Sally Beauty during those dates.
Sally Beauty Supply Company made three separate statements on their website (http://sallybeautyholdings.com/sally-beauty-data-incident/questions-and-answers.aspx) which also carries some Q & A to notify their customers. No letters were sent, so if one was not a frequent website user, they would never have seen these three statements.
Have you or a member of your family shopped at Sally Beauty Supply Stores during February or March 2014?
Sally Beauty Supply Company's Solution
Per their website: they are "offering one free year of credit monitoring and identity-theft protection services for those customers who may have been affected. They did not name the monitoring company.
If you are interested in this service, please contact the customer service line at 1-866-234-9442 or firstname.lastname@example.org for assistance with enrollment, Monday through Friday, 9:00 a.m. to 7:00 p.m. and Saturday, 10:00 a.m. to 5 p.m. (Eastern Standard Time)."
© 2014 Rachael O'Halloran