Retail chain Sally Beauty knows that it was sick and when. Now the challenge is to figure out what made it sick.
The beauty chain said in a May 28 release that its point of sale systems were infected with malware from March 6 to April 17. The chain began investigating the breach in late April, and it still has some unanswered questions.
Because we cannot pinpoint exactly which cards might have been affected during our reported date range, we are offering credit monitoring services to any customer who used their payment card at a U.S. Sally Beauty store between March 6th and April 17th of 2015," Sally Beauty president and chief executive Chris Brickman said in the release.
The company said that no customer debit card personal identification numbers have been compromised because it does not collect and store them.
This latest retail breach highlights the challenges of protecting customer data, and how companies can react to mitigate the damage. The sheer amount of data makes quickly identifying and tracking breaches hard. The tendency for consumers to visit multiple stores in one trip only adds another degree of difficulty.
"The sheer amount of data in and of itself is causing challenges," said Kevin Epstein, vice president of advanced security and corporate governance for cybersecurity firm Proofpoint.
"Sally Beauty seems to be doing the right thing," in notifying its payment partners and customers, said Epstein, who likened Sally Beauty's announcement to realizing it had the flu but not how it caught the bug.
Point of sale systems were particularly susceptible because they're designed for keeping customer data secure during transmission, rather than protection from threats to their own integrity; they're engineered to guard against "wiretapping, not sabotage," he said.
In honing in on the source of a breach, "you can have a lot of false echoes" before finding the cause, said Julie Conroy, research director for retail banking at consulting firm Aite Group.
But even if the retailer doesn't know how it was compromised, the means are widely available to fraudsters. "The kits that facilitate this can be bought for $2,000," Conroy said.