The international retailer and distributer of beauty products, which has revenues of $3.6 billion annually, found its data had been hacked on 5 March and disclosed the breach at the time.
Forensics from communications giant Verizon are continuing the investigation into the security breach and have now confirmed the illegal access of the data, and Sally Beauty stating that it is ‘likely’ that the accessed data was also stolen.
The company believes that affected records consist of card-present payment card data - customer name, credit or debit card number, and the card's expiration date and CV.
The beauty brand is a key player on the US cosmetics scene, with more than 2,700 retail outlets in the US, as well as acting as distributer to retailers across the world in Europe and South America.
The extent of the breach, though apparently smaller in scale than other recent illegal hacking attacks sustained fellow US retailers Target Corps and Neiman Marcus, has yet to be fully established.
“It is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation. As a result, we will not speculate as to the scope or nature of the data security incident,” Sally Beauty stated.
The company was quick to reassure consumers, saying “customers are our top priority at Sally Beauty, and we will be responding to customers' needs concerning this security incident.”
“We will be providing appropriate notifications to affected consumers and others, as necessary, as the facts develop and we learn more.”
The company is keen to publicize the steps it is taking to contain the incident, including working with relevant bodies such as the U.S. Secret Service, and conducting a full review of all of payment card information systems.
It remains to be seen how consumers and shareholders will respond to the breach, as trust is paramount to digital sales, and how this will affect the company’s financial outlook.