Another day, another hacker breaking into a corporate database and stealing customers' credit card information. This time the victim is the Sally Beauty supply company and its shoppers.
KrebsOnSecurity discovered on March 5 that three days earlier, 282,000 stolen credit and debit card numbers became available for sale in what Krebs called "a popular underground crime store."
Three different banks contacted by Krebs investigated how some of their own customers' account numbers wound up among the offerings, by searching for what's known as a “common point of purchase,” or CPP, and discovered that within the previous ten days, all of the tested cards had been used for a Sally Beauty purchase.
Krebs then asked Sally Beauty about the breach, and reported this:
[S]pokeswoman Karen Fugate said the company recently detected an intrusion into its network, but that neither the company’s information technology experts nor an outside forensics firm could find evidence that customer card data had been stolen from the company’s systems.
Fugate said Sally Beauty uses an intrusion detection product called Tripwire, and that a couple of weeks ago — around Feb. 24 — Tripwire detected activity. Unlike other products that try to detect intrusions based on odd or anomalous network traffic, Tripwire fires off alerts if it detects that certain key system files have been modified.
In response to the Tripwire alert, Fugate said, the company’s information technology department “shut down all external communications” and began an investigation.
That said, Krebs noted that the timing of the stolen card numbers' appearance does appear to line up with the intrusion timeline reported by Sally Beauty.
If you have used a credit or debit card to buy anything from a Sally Beauty store since mid-February, contact your bank or credit card company immediately to let them know about the risk; you might have to go so far as to cancel that account (or get a brand-new number assigned to it).