For the second time in a year, Sally Beauty Supply may have been hacked. In March 2014 they were hacked to the tune of 260,000 credit cards (see post) and now they are investigating another (or maybe the old breach was never completely wiped out) breach.
Brian Krebs is reporting new details on last year’s breach. First interesting detail is that Sally was using Tripwire, a very well respected and effective program in detecting system changes. The hackers placed a file on Sally’s POS system to collect the credit card numbers and even though the file had the same name as a legit system file and even the same date and time, Tripwire alerted that this file had been altered. If they acted on that alarm quickly, it would have reduced the number of compromised cards.
The attackers got in by compromising an employee Citrix remote access web portal. The attackers got the credentials of a district manager – who had his user name and password taped to his laptop.
Once inside, they scanned for scripts that administrators use and in particular, ones that usernames and passwords embedded in them. It is not clear why a district manager would have access to the part of the network where those kind of scripts could live.
Once the attackers mapped out how the network looked and with the benefit of the credentials they found in the scripts, they were able to copy the malware to the cash registers.
While Sally has claimed that only 25,000 cards were compromised, the Secret Service put the number at around 260,000 and the tech source for the article says the number was likely closer to a million.
Now Sally is saying that they are investigating new claims of a breach. If this one is like the last one, we won’t really get much information from them.
So, while they get credit for using Tripwire and maybe for quickly responding to the alert, there are enough other bad practices to leave them in the negative column for security practices.
In any case, watch your credit card statements and text messages.