Forever 21 investigation reveals malware presence at some stores

A recent data breach involved the installation of malware at point-of-sale systems at a number of outlets.
Written by Charlie Osborne, Contributing Writer
Raysonho | Wikimedia Commons

Forever 21 has revealed that a data breach discovered in November has resulted in the theft of credit card information belonging to customers.

The US clothing retailer said previously that a potential data breach was the subject of an investigation into its outlets after a third-party supplier tipped the company off to the potential lapse in security.

Forever 21 hired an external cyberforensics firm to investigate the problem, and while back then it was "too early" to provide any concrete details, the company warned that "certain point-of-sale (PoS) devices in some Forever 21 stores were affected" where encryption may not have been utilized.

In an update, the retailer has now revealed the results of the investigation.

According to the company, PoS devices used to facilitate customer purchases at some stores was not "always on," leading to the installation of malware and unauthorized network access.

The malware in question searched for payment track data and gleaned information from cards including card numbers, expiration dates, and internal verification codes.

Forever 21 says that on "occasion" the cardholder name was also stolen.

The malware was operating in some outlets from April 3, 2017, to November 18, 2017.

"In some stores, this scenario occurred for only a few days or several weeks, and in some stores, this scenario occurred for most or all of the timeframe," the company says. "Each Forever 21 store has multiple PoS devices, and in most instances, only one or a few of the PoS devices were involved."

All Forever 21 stores have a log system which keeps track of accepted transactions and authorizations. When encryption was not in use, payment card data was also stored in this log.

The malware used was also installed on these log devices, and so if encryption was not enabled prior to April 3 and the data was still stored, the malware may have also had access to the past information of customer transactions.

See also: PayPal's TIO Networks reveals data breach impacted 1.6 million users

In turn, it is possible that credit card data related to purchases outside of the core data breach timeframe may also have been exposed.

It is not yet known how many stores, and how many customers, may have been involved in the data breach. While the breach has impacted US outlets, the firm says that the investigation is still "ongoing" to see whether stores outside of the country have also been involved.

Forever 21 says it is working with payment processors, PoS device suppliers, and cybersecurity professionals to address the encryption issue and "enhance its security measures," and advises customers to keep an eye on their credit report for suspicious activity.

The reasons why you should hide your IP address

Previous and related coverage

    SEC admits data breach, suggests illicit trading was key

    The commission says that "illicit gain through trading" may have been the key motivator.

    Equifax ex-chief admits responsibility 'starts at the top' for devastating data breach

    Former Equifax CEO Richard Smith says the data breach shouldn't have happened on his watch.

    Uber paid 20-year-old man to hide hack, destroy data

    A hacker from Florida was allegedly paid $100,000 to keep his mouth shut and delete stolen user data.

      Editorial standards