Fashion retailer Forever 21 has confirmed there has been unauthorized access to data from payment cards used at some of its stores.
The company is notifying its customers that it recently received a report from a third party that about the breach, which affected card transactions from March to October 2017. It was quick however to offer reassurances:
“Because of the encryption and tokenization solutions that Forever 21 implemented in 2015, it appears that only certain point-of-sale devices in some Forever 21 stores were affected when the encryption on those devices was not in operation,” the company said in a statement.
Far from being reassuring, the apparent piecemeal approach to security gives some pause.
"Surprised and disappointed to hear this as it sounds like they weren’t (fully) PCI compliant. That is the first issue that they should disclose and whomever performed the audit should be held accountable. This continued poor hygiene needs to end,” Mike Kail, CTO at CYBRIC, said via email.
The LA-based retailer, which operates more than 815 stores in 57 countries, didn’t reveal just how many stores are affected (or where they’re located), citing an “ongoing investigation.” It said that once it had better clarity on the scope of the situation that it would update the public.
“Because a number of stores did not receive an encryption upgrade to their point of sale devices, hackers had the opening they needed to access payment card information,” said Adam Levin, chairman and founder at CyberScout, via email. “This is yet another cautionary tale that POS systems can become Points of Sabotage, when businesses fail to implement proper security measures. As we approach the busy holiday shopping season, retailers are prime targets for hack attacks and should make sure they practice safe cyber hygiene like encrypting data, regular penetration testing and monitoring of systems and employee training on proper privacy and security protocols. Holiday shoppers should not have to worry that their favorite pair of shoes or handbag comes with an unexpected and damaging price tag—their stolen data."