Sally Beauty Data Incident

 

March 17, 2014


As we previously stated on March 5th, our systems detected an unauthorized attempted intrusion into our Sally Beauty Supply LLC network.  At the time of this discovery, we immediately engaged a top-tier forensics firm (Verizon) to investigate this security incident.    As a result of this ongoing investigation, we have now discovered evidence that fewer than 25,000 records containing card-present (track 2) payment card data have been illegally accessed on our systems and we believe it may have been removed.  As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation.  As a result, we will not speculate as to the scope or nature of the data security incident.

We take this criminal activity very seriously. We continue to work diligently with Verizon on this investigation and are taking necessary actions and precautions to mitigate and remediate the issues caused by this security incident.  In addition, we are working with the United States Secret Service on their preliminary investigation into the matter. 

Customers are our top priority at Sally Beauty, and we will be responding to customers' needs concerning this security incident.  Please check our website sallybeautyholdings.com in the coming days to learn about the progress of our work to address the security incident, the status of our investigation, and steps we will be taking to assist any affected customer.  We will be providing appropriate notifications to affected consumers and others, as necessary, as the facts develop and we learn more.

About Sally Beauty Holdings, Inc.

Sally Beauty Holdings, Inc. (SBH) is an international specialty retailer and distributor of professional beauty supplies with revenues of $3.6 billion annually. Through the Sally Beauty Supply and Beauty Systems Group businesses, the Company sells and distributes through 4,700 stores, including approximately 200 franchised units, throughout the United States, the United Kingdom, Belgium, Chile, France, the Netherlands, Canada, Puerto Rico, Mexico, Ireland, Spain and Germany. Sally Beauty Supply stores offers up to 10,000 products for hair, skin, and nails through professional lines such as Clairol, L'Oreal, Wella and Conair, as well as an extensive selection of proprietary merchandise. Beauty Systems Group stores, branded as CosmoProf or Armstrong McCall stores, along with its outside sales consultants, sell up to 10,000 professionally branded products including Paul Mitchell, Wella, Sebastian, Goldwell, Joico, and Aquage which are targeted exclusively for professional and salon use and resale to their customers. For more information about Sally Beauty Holdings, Inc., please visit sallybeautyholdings.com.

Cautionary Notice Regarding Forward-Looking Statements

Statements in this news release and the schedules hereto which are not purely historical facts or which depend upon future events may be forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended. Words such as "anticipate," "believe," "estimate," "expect," "intend," "plan," "project," "target," "can," "could," "may," "should," "will," "would," or similar expressions may also identify such forward-looking statement.

Readers are cautioned not to place undue reliance on forward-looking statements as such statements speak only as of the date they were made. Any forward-looking statements involve risks and uncertainties that could cause actual events or results to differ materially from the events or results described in the forward-looking statements, including, but not limited to, risks and uncertainties related to: the highly competitive nature of, and the increasing consolidation of, the beauty products distribution industry; anticipating changes in consumer preferences and buying trends and managing our product lines and inventory; potential fluctuation in our same store sales and quarterly financial performance; our dependence upon manufacturers who may be unwilling or unable to continue to supply products to us; the possibility of material interruptions in the supply of beauty supply products by our manufacturers or third-party distributors; products sold by us being found to be defective in labeling or content; compliance with laws and regulations or becoming subject to additional or more stringent laws and regulations; product diversion; the operational and financial performance of our franchise-based business; the success of our e-commerce business; successfully identifying acquisition candidates and successfully completing desirable acquisitions; integrating acquired businesses; opening and operating new stores profitably; the impact of the health of the economy upon our business; the success of our cost control plans; protecting our intellectual property rights, particularly our trademarks; the risk that our products may infringe on the intellectual property of others; conducting business outside the United States; disruption in our information technology systems, including as a result of natural or man-made events (caused by us, by our service providers or others) or by computer viruses,  or physical or electronic break-ins; reports that our information systems were breached; a significant data security breach, including misappropriation of our customers' or employees' personal information, the potential costs related thereto and the negative impact on our reputation and loss of confidence of our customers, suppliers and others; a failure to detect, determine the extent of and appropriately respond to a significant data security breach; costs and diversion of management attention required to investigate and remediate a data security breach, including any governmental investigations or litigation relating thereto; severe weather, natural disasters or acts of violence or terrorism; the preparedness of our accounting and other management systems to meet financial reporting and other requirements and the upgrade of our financial reporting system; being a holding company, with no operations of our own, and depending on our subsidiaries for cash; our substantial indebtedness; the possibility that we may incur substantial additional debt, including secured debt, in the future; restrictions and limitations in the agreements and instruments governing our debt; generating the significant amount of cash needed to service all of our debt and refinancing all or a portion of our indebtedness or obtaining additional financing; changes in interest rates increasing the cost of servicing our debt; the potential impact on us if the financial institutions we deal with become impaired; and the costs and effects of litigation.

Additional factors that could cause actual events or results to differ materially from the events or results described in the forward-looking statements can be found in our most recent Annual Report on Form 10-K for the year ended September 30, 2013, as filed with the Securities and Exchange Commission. Consequently, all forward-looking statements in this release are qualified by the factors, risks and uncertainties contained therein. We assume no obligation to publicly update or revise any forward-looking statements.

Contact:
Sally Beauty Holdings, Inc.
Investor Relations
Karen Fugate, 940-297-3877

Edelman
David J. Chamberlin
214-443-7560 or david.chamberlin@edelman.com

General Q&A

1. How and when did Sally Beauty learn about the security incident?

As we previously stated on March 5th, our systems detected an unauthorized attempted intrusion into our Sally Beauty Supply LLC network.  At the time of this discovery, we immediately engaged a top-tier forensics firm (Verizon) to investigate this security incident. As a result of this ongoing investigation, we have now discovered evidence that some payment card data may have been illegally accessed on our systems and we believe it has been removed.  Please check sallybeauty.com for updates. 

2. What Sally Beauty customer payment card information was affected?

At this time, we believe card-present payment card data - customer name, credit or debit card number, and the card's expiration date and CVV - was affected. We do not believe that sensitive information, (other than card numbers) such as social security numbers or dates of birth, was compromised as part of this issue. In addition, Sally Beauty does not collect PIN data and, therefore, it should not be at risk. As experience has shown in prior data security incidents at other companies, it is difficult to ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation.  As a result, we will not speculate as to the scope or nature of the data security incident. Please check sallybeauty.com for updates.

3. How many customers were affected and over what time period?

As experience has shown in prior data security incidents at other companies, it is difficult to
ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation.  As a result, we will not speculate as to the scope or nature of the data security incident. Please check the release above and sallybeauty.com for updates.

4. Did this incident affect customers that shopped online?

As experience has shown in prior data security incidents at other companies, it is difficult to
ascertain with certainty the scope of a data security breach/incident prior to the completion of a comprehensive forensic investigation.  As a result, we will not speculate as to the scope or nature of the data security incident. Please check sallybeauty.com for updates.

5. When can we expect an update from Sally Beauty on this issue?

As we gain additional insight into the data security incident, we will post updates on our website sallybeauty.com.   For the affected consumers, we will provide appropriate notifications as the facts develop.

6. When did Sally Beauty discover the illegal access to and possible removal of payment card data? 

As we previously stated in our March 5, 2014 Statement, we detected an attempted intrusion into our Sally Beauty Supply LLC network. We only very recently discovered evidence that some payment card data has been illegally accessed on our systems and that it may have been removed.  We moved rapidly to disclose that information to you. In these types of situations, we want to balance being as proactive as possible while also providing an accurate picture of what has occurred.

7. Has the potential security issue been resolved?

We are taking a number of steps to contain the situation, including:

  • Contacting and working directly with the U.S. Secret Service, the payment brands, our merchant processor, a leading investigations, intelligence and risk management firm, and a leading, payment brand approved forensics firm to investigate the situation
  • Conducting a full review of all of our payment card information systems and vulnerability assessment
  • Reviewing our intrusion detection systems and firewalls
  • Reinforcing our security tools
  • Reviewing and hardening our systems
  • Modifying our software and security credentials
  • Searching for and removing all malware we discover on our systems


8. What are some of the steps that customers concerned about this loss of payment card information can take?

There are several steps customers can take if they are concerned about fraudulent activity.

They should check their statements to see if there is any fraudulent or suspicious activity. If there is any unauthorized activity, they should call their bank or financial institution in order to report the issue.

Secondly, consumers may consider placing a fraud alert on their credit reports to help mitigate potential issues. To do this, you will need to contact one of the three credit reporting agencies.

Equifax: 1-800-525-6285     

Experian: 1-888-397-3742   

TransUnion: 1-800-680-7289

Finally, be on the lookout for phishing schemes. Our email correspondence regarding this incident will not contain any links, so if you receive an email appearing to be from us that contains a link, it is not from us, and don't click on the link. Also, never provide sensitive information to unsolicited requests claiming to come from us, your bank or other institutions. We would never ask you for sensitive information via email.

9. Will consumers be liable for fraudulent charges?

The payment brands (e.g. Visa, MasterCard, Discover and American Express) all publish their own policies about fraudulent charges. Please contact your card brand or issuing bank for more information about the policy that applies to you.

10. There are fraudulent charges on my credit/debit card. What do I do?

Contact the bank or financial institution that issues your card right away and let them know of the fraudulent charges.  They will provide you with instructions on how to dispute the charges. 

11. Does this mean that I'm a victim of identity theft?

The fact that someone may have had access to payment card information does not necessarily mean that you are a victim of identity theft, or that it will be used to commit
fraud.  We wanted to let you know about the incident so that you can take appropriate steps to protect yourself, such as by reviewing your account statements closely for unauthorized activity, and reporting any unauthorized activity to the bank or financial institution that issues your card.  You may also wish to consider placing a fraud alert on your credit files.

12. Should I check my credit reports?

It never hurts to check your credit reports, even though, based on discussions with experts in the industry, the type of information potentially compromised typically isn't used to open new lines of credit.

13. Do I have to pay for the credit report?

You can order your credit reports for free from all three credit bureaus once a year.  You
can do this online at www.annualcreditreport.com, or by phone at 1-877-322-8228. 

14.  What does Sally Beauty plan to do for customers whose payment cards were affected by this data security incident?

Customers are our top priority at Sally Beauty, and we will be responding to customers' needs concerning this data security incident.  Please check our website sallybeauty.com in the coming days to learn about the progress of our work to address the security incident and steps we will be taking to assist any affected customer.  We will be providing appropriate notifications to affected consumers and others, as necessary, as the facts
develop and we learn more.

15. Should consumers contact Sally Beauty if they believe their payment cards were affected?

Such customers should contact the bank or financial institution that issued their cards about any fraudulent activity.  Contact information can be found on the back of their payment cards.  They are best suited for helping to resolve any unauthorized charges.

As noted above, Sally Beauty will be providing appropriate notifications to affected consumers and others, as necessary, as the facts develop and we learn more.

 

March 5, 2014 Sally Beauty Holdings Statement

In response to rumors throughout the retail industry regarding security intrusions at various retailers, Sally Beauty Holdings, Inc. issued the following statement on March 5, 2014:

Recently, our systems detected an attempted intrusion into our Sally Beauty Supply LLC network, and we believe we promptly mitigated potential issues arising from this intrusion. As a result of our ongoing investigation, which included assistance from a top-tier security firm, we have no reason to believe there has been any loss of credit card or consumer data. We will continue to investigate and actively monitor this situation.