Sally Beauty to offer credit monitoring following data breach

Sally Beauty is the latest retailer to offer shoppers a free year of credit monitoring and identity-theft protection for those customers who may have been affected by the incident.
On March 5, 2014, the Denton, Texas-based retailer detected an unauthorized intrusion into the Sally Beauty Supply network and discovered evidence that fewer than 25,000 records containing card-present payment card data may have been illegally accessed on their system. As a result of the continuing investigation, Sally Beauty believes that a larger number of additional records containing payment card data may have been illegally accessed and removed from their systems.

The retailer said it would not speculate on the scope of the data security incident until the forensic review progresses. "Experience with such incidents at other retailers has taught that it is difficult to ascertain the extent of a data breach incident until the required forensic review is complete," a company statement read.

But at least one security expert believes the breach was much bigger than the initially reported 25,000 effected accounts. An investigation by blogger Brian Krebs at KrebsOnSecurity, matched zip codes for stolen credit cards for sale on a crime shop's website with the locations of Sally's Beauty stores. He found a 99.9 percent overlap and concluded approximately 282,000 credit card numbers listed on the site likely came from the retailer.

"We will continue to provide updates regarding the status of the investigation and the steps we will be taking to assist any customers who may have been affected by the incident through our website," the Sally Beauty statement said. "We will provide appropriate notifications to customers who may have been affected by the incident and others as the facts develop and we learn more."

"Our customers remain our top priority," said Gary Winterhalter, president and CEO.

For more:
-See this Sally Beauty announcement

Related stories:
Sally Beauty data breach could include 280,000 accounts compromised
Consumers blame retailers for data breaches
Target: Timeline of a data breach
Target's data breach is a story with long legs
Target breach: Heating vendor confirmed as hackers' entry point