Sally Beauty Supply's (NYSE: SBH) data breach could be much higher than originally reported, as information from more than 280,000 credit cards from nearly all the retailer's 2,600 locations may have been compromised.
Sally Beauty originally said that about 25,000 credit card numbers were stolen during the data breach reported March 17, but an investigation by blogger Brian Krebs at KrebsOnSecurity, indicates the numbers could be much, much higher.
"That number seems very conservative when viewed through the prism of data from the cybercriminal shop primarily responsible for selling cards stolen from Sally Beauty customers," wrote Krebs. "Indeed, it suggests that the perpetrators managed to hoover up cards used at nearly all Sally Beauty stores."
Thanks to a specific crime shop, which lists stolen credit card numbers for sale and groups them by zip code, Krebs was able to match the zip codes with the locations of Sally's Beauty stores. He found a 99.9 percent overlap and concluded approximately 282,000 credit card numbers listed on the site likely came from the retailer.
Denton, Texas-based Sally Beauty is sticking by its original assessment, is investigating with a forensics firm and working with the U.S. Secret Service as part of its investigation. But if Krebs is correct — and he is the one who uncovered Target's (NYSE: TGT) massive security breach using these same methods in late 2013, so there's little reason to doubt — Sally Beauty joins a growing list or retailers with even bigger security problems.
-See this KrebsOnSecurity article
Target: Timeline of a data breach
Target's data breach is a story with long legs
Target breach: Heating vendor confirmed as hackers' entry point
Target to install chip and PIN card readers, says that only 25 registers were to blame for massive breach
The story of how Target had chip and PIN cards, but failed to keep them