Forever 21 Breach Lasted Over Seven Months

Written by

Encryption was not turned on at some of the point of sale (POS) devices used in Forever 21 stores, exposing customers card data to info-stealing malware last year, the firm has revealed.

In an update to November revelations of a major data breach, the fashion retailer claimed that an investigation had found signs of “unauthorized network access and installation of malware on some POS devices designed to search for payment card data.”

“The malware searched only for track data read from a payment card as it was being routed through the POS device,” it added. “In most instances, the malware only found track data that did not have cardholder name — only card number, expiration date, and internal verification code — but occasionally the cardholder name was found.”

To make matters worse, encryption was turned off in some stores for over seven months — from April 3 to November 18 2017.

The statement continued:

“Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.”

Customers using the retailer’s website were not affected, and the firm is still trying to figure out if any stores outside the US were impacted.

It operates in over 50 countries worldwide, but hackers favor the US as chip and PIN has been slow to take off there, making it easier for them to steal the data and clone cards.

What’s hot on Infosecurity Magazine?