Sally Beauty Holdings Inc. confirmed Thursday that there was an “illegal intrusion” into its payment-card systems, marking the company’s second data breach in just over a year.
The Denton, Texas-based hair- and beauty-products retailer said there was “sufficient evidence” to confirm the breach, but that it would not “speculate on the scope.”
The company said earlier this month that it was investigating reports of unusual activity involving payment cards used at its stores. Sally Beauty said it was working with law enforcement, its credit-card processor and a third-party forensics expert. In a statement Thursday, the company said the forensic investigation is still ongoing.
“We are working diligently to address the issue and to care for any customers who may have been affected by the incident,” Chief Executive Chris Brickman said in a statement. “Our customers are our top priority and we regret any frustration or inconvenience this illegal breach may cause them.”
The company said customers would not be responsible for any fraudulent charges that are promptly reported.
Customers with concerns about their payment cards should call Sally Beauty’s customer-service hotline at 1-866-234-9442 or send an email to firstname.lastname@example.org
A data breach at Sally Beauty in March 2014 affected fewer than 25,000 cards. The breach occurred just months after high-profile data breaches at retailers including Target Corp. and Neiman Marcus Group Ltd.
Kerstyn Clover, managing consultant for the investigations department at the SecureState information-security firm, said it’s not uncommon to see repeat breaches. She said companies will sometimes patch one problem but not take a look at the entire security system.
“We’re finally getting more mature as a whole, especially in the retail industry,” Clover said. “But that also means that we’re uncovering what’s going wrong. It kind of has to get messy before it gets better.”
Sally Beauty runs 4,900 stores around the globe.