Sally's data breach possibly affected up to 280,000 customers

Sally Beauty Supply (NYSE: SBH) earlier this month said that about 25,000 credit card numbers were stolen during a data breach, but new evidence shows the hack could have been much larger, reports KrebsOnSecurity. Information from 282,000 cards has been found to be potentially linked to the Sally Beauty breach.

Data from Krebs' analysis shows that the Sally breach could have been 10 times larger than the company reported, affecting nearly all 2,600 Sally Beauty store locations. The findings are based on zip codes connected to stolen cards listed for sale on a cybercriminal shop, reports Krebs. Researchers studied the batch of 282,000 cards and found there are nearly the exact same number of U.S. ZIP codes represented in the batch as there are unique U.S. ZIP codes of Sally Beauty stores. In fact, researchers reportedly found a 99.99 percent overlap in the ZIP codes.

This point is key -- especially considering that in the wake of the Target (NYSE:TGT) breach, which was also first reported by Krebs -- the list of 1,800 specific ZIP codes listed in the cybercriminals' shop was nearly identical to the list of ZIP codes where Target stores are located.

Sally Beauty said on March 17 that credit card data from up to 25,000 customer accounts was compromised in a systems breach discovered on March 5. At the time, security analysts suspected the attack could be the work of the same criminals who stole 40 million credit and debit cards from Target, reports KrebsOnSecurity.

"We have now discovered evidence that fewer than 25,000 records containing card-present (track two) payment card data have been illegally accessed on our systems and we believe it may have been removed," Sally Beauty said in a statement.

The Denton, Texas-based seller of beauty supplies said it is investigating with a forensics firm and is working with the U.S. Secret Service.

This Sally breach followed wide-scale attacks on Target and Neiman Marcus that occurred during the critical holiday shopping season. Last month, Target reported a 46 percent decline in fourth-quarter profit, as costs related to the breach weighed on the retailer's earnings. Target was hit with $61 million in quarterly expenses from the breach.

Most recently, U.K. grocer Morrisons came under attack when personal information from about 100,000 of its employees was leaked by an insider and posted on the internet. The information included names, addresses and bank account details of staffers from all levels of the organization.

For more:
-See this KrebsOnSecurity article

Related stories:
Target: Timeline of a data breach
Target's data breach is a story with long legs
Target breach: Heating vendor confirmed as hackers' entry point
Target to install chip and PIN card readers, says that only 25 registers were to blame for massive breach
The story of how Target had chip and PIN cards, but failed to keep them