LOS ANGELES–Forever 21 has become the latest retailer to announce its payments systems have likely been breached, in another case of what appears to be a simple security failure that led to an extended period of vulnerability.
According to the company, credit card information may have been compromised at some of its more than 800 brick-and-mortar stores after it failed to turn on encryption at some of its POS terminals. Forever 21 has now confirmed what it acknowledged in November 2017, that a third party “suggested” there may have been some unauthorized access. At year-end, it confirmed a breach had occurred, although Forever 21 has not said how many customers were potentially affected or even which stores had the compromised POS devices.
Forever 21 said hackers had access to customers’ payment card data for up to seven months in 2017 – from April 3 to Nov. 18. The attackers accessed its network and installed malware in a job made easier, according to the company, because encryption was not turned on in some of Forever 21’s POS devices.
In addition to the lack of encryption, Forever 21 said that investigators it hired reported that in some of the retail stores’ POS devices “found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data.”
According to Forever 21, the malware “searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name — only card number, expiration date, and internal verification code — but occasionally the cardholder name was found.”
Forever 21 further reported its stores have a device that keeps a log of completed payment card transaction authorizations, and that when encryption was off, malware was installed on some log devices that was capable of finding payment card data from the logs.
This isn’t the first time Forever 21 has been hit by hackers. It reported a compromise was ongoing from 2004 to 2007, as well.