Commentary: Possible Data Breach at Sally Beauty Holdings

By Ken Westin, Tripwire



For the second time in a year, Sally Beauty Holdings, which owns U.S. Sally Beauty stores, is currently investigating reports of unusual activity involving payment cards used at some of their stores.



The fact that we continue to see retail breaches even after some of the mega breaches over the past year indicates two things. First, attackers are adapting their methods and the sophistication of their tools. Second, many retailers have yet to invest in detection and haven’t yet adapted their defenses to detect these very real threats.



The retail industry as a whole needs to move to point-to-point encryption (P2PE), which can come at a heavy cost because it often requires an overhaul of existing payment systems so this is not something that will happen quickly.



Point-of-sale malware continues to evolve and most families of retail malware can evade basic security controls. The initial points of intrusion remain fairly constant; either attackers leverage exploits against known vulnerabilities or successful spear phishing campaigns.



Both the intrusion and the malware components can be better detected by taking a layered security approach, monitoring endpoints and the network itself closely for anomalies and indicators of compromise specific to retail breaches. These include configuration changes, unauthorized processes, credit card data appearing on the file systems, RAM or anywhere outside the PCI environment.”

Ken Westin is a security analyst at Tripwire, a provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats.