Forever 21 has revealed that a data breach discovered in November has resulted in the theft of credit card information belonging to customers.
The US clothing retailer said previously that a potential data breach was the subject of an investigation into its outlets after a third-party supplier tipped the company off to the potential lapse in security.
Forever 21 hired an external cyberforensics firm to investigate the problem, and while back then it was "too early" to provide any concrete details, the company warned that "certain point-of-sale (PoS) devices in some Forever 21 stores were affected" where encryption may not have been utilized.
In an update, the retailer has now revealed the results of the investigation.
According to the company, PoS devices used to facilitate customer purchases at some stores was not "always on," leading to the installation of malware and unauthorized network access.
The malware in question searched for payment track data and gleaned information from cards including card numbers, expiration dates, and internal verification codes.
Forever 21 says that on "occasion" the cardholder name was also stolen.
The malware was operating in some outlets from April 3, 2017, to November 18, 2017.
"In some stores, this scenario occurred for only a few days or several weeks, and in some stores, this scenario occurred for most or all of the timeframe," the company says. "Each Forever 21 store has multiple PoS devices, and in most instances, only one or a few of the PoS devices were involved."
All Forever 21 stores have a log system which keeps track of accepted transactions and authorizations. When encryption was not in use, payment card data was also stored in this log.
The malware used was also installed on these log devices, and so if encryption was not enabled prior to April 3 and the data was still stored, the malware may have also had access to the past information of customer transactions.
In turn, it is possible that credit card data related to purchases outside of the core data breach timeframe may also have been exposed.
It is not yet known how many stores, and how many customers, may have been involved in the data breach. While the breach has impacted US outlets, the firm says that the investigation is still "ongoing" to see whether stores outside of the country have also been involved.
Forever 21 says it is working with payment processors, PoS device suppliers, and cybersecurity professionals to address the encryption issue and "enhance its security measures," and advises customers to keep an eye on their credit report for suspicious activity.
Previous and related coverage
The commission says that "illicit gain through trading" may have been the key motivator.
Former Equifax CEO Richard Smith says the data breach shouldn't have happened on his watch.
A hacker from Florida was allegedly paid $100,000 to keep his mouth shut and delete stolen user data.