Sally Beauty Supply Targeted in Latest Credit Card Breach as EMV Deadline Looms
DENTON, Texas, May 14 (UPI) — For the second time in a little more than a year, customer credit card data has been been breached at Sally Beauty Supply, as a deadline looms for all retailers to become EMV compliant.
The company, based in Denton, Texas, said Thursday it is investigating reports of unusual credit card activity from customers who have shopped at its 2,800 stores across the nation.
“We believe it is in the best interests of our customers to alert them that we now have sufficient evidence to confirm that an illegal intrusion into our payment card systems has indeed occurred. However, we will not speculate on the scope of the intrusion as our forensics investigation is still underway,” said Chris Brickman, president and CEO. “We are working diligently to address the issue and to care for any customers who may have been affected by the incident.”
Sally Beauty supply declined to say just how many credit cards have been compromised, but a similar breach in March 2014 affected nearly 25,000 customers.
Thursday’s data breach announcement comes less than five months before a deadline in which Sally Beauty Supply and other retailers must upgrade their point-of-sale systems to accept chip-based Europay, MasterCard and Visa (EMV) credit cards.
The system, which is already in use in Europe, will create a unique code for each transaction, making it difficult for counterfeiters to use these cards to commit fraud. For online and mobile transactions, traditional account numbers will be replaced with a unique digital payment code that will provide additional security. Since implementing the technology five years ago, Europe has reported a drop in lost and stolen credit card fraud by 58 percent.
On Oct. 1, if a retailer doesn’t accept credit cards with an EMV chip, the company will be liable for fraudulent charges on customers’ payment cards, not banks.
Meanwhile, Starbucks customers are also reporting fraudulent activity on credit cards associated with the company’s mobile app. The coffee company acknowledged Wednesday that credit and debit cards, and PayPal accounts loaded into the mobile app’s payment system, have been targeted by hackers to purchase Starbucks gift cards.
Jean Obando told CNNMoney his PayPal account was drained of $550 in December after he used the Starbucks gift card loaded onto a mobile app. He said after he made a purchase at Starbucks, he received several notifications that he had purchased Starbucks electronic gift cards.
Obando was never asked to give secondary approval for the purchases. It took two weeks for him to get his money back.
“Now, I just pay with my credit card or cash,” he said. “I can’t trust Starbucks with my payment information anymore.”
Starbucks said the breach of data has not happened through its servers, but instead through customers’ personal Starbucks accounts.
The company said the hacks occur when criminals obtain user names and passwords from other websites and apply that information to customers’ Starbucks accounts. The company suggested customers use different login information for different websites that keep financial information.
“Like all major retailers, the company has safeguards in place to constantly monitor for fraudulent activity and works closely with financial institutions,” the company said in a statement Wednesday. “To protect the integrity of these security measures, Starbucks will not disclose specific details but can assure customers their security is incredibly important and all concerns related to customer security are taken seriously.”
