Apparel retailer Forever 21 says point-of-sale systems in some of its stores were infected by malware for up to seven months, compromising shoppers' payment card data.
On Tuesday, Forever 21 issued an update on its investigation into the "payment card security incident" that it first announced in November.
The retailer now says that an investigation conducted by a third-party incident response firm that it hired has found that malware infected some POS devices last year between April 3 and November 18, and that in some cases "encryption technology" being used by its "payment processing system" was not active, allowing malware-wielding attackers to steal payment card data that was being stored in logs of completed transactions.
Some stores suffered breaches lasting for the entire seven months, while others were breached "for only a few days or several weeks," Forever 21 says. "We regret this incident occurred and any concern this may have caused you."
Privately held Forever 21 sells "cheap chic" women's and men's clothing and accessories, catering especially to teenage girls and young women, and operates about 400 stores globally, many located in shopping centers. Founded in California in 1984, Forever 21 says it's the fifth largest specialty retailer in the United States.
The retailer says malware stole payment card data from U.S. customers when they paid via infected POS systems. In some cases, the retailer's systems were also inadvertently storing logs of completed transactions that included payment card data, which attackers may have also obtained, it says.
"The investigation determined that the encryption technology on some point-of-sale devices at some stores was not always on," Forever 21 says in its data breach update. "The investigation also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device."
Forever 21 says the malware obtained shoppers' card number, expiration date and internal verification code and in some cases also cardholders' names.
Forever 21 says its stores' payment processing systems have used encryption since 2015. The retailer did not immediately respond to a request for comment about what it means by "encryption technology," why in some cases it was not active and whether it may have been deactivated by attackers. But the retailer may be referring to encrypting stored payment card data and potentially also using point-to-point encryption to protect data being sent from POS devices to payment processors.
Forever 21 says that since launching its breach investigation, it has been "working with its payment processors, POS device provider and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores."
The retailer says that no payment cards used on its website were compromised in this attack.
Forever 21 says it launched its data breach investigation in mid-October 2017 after receiving a report from an unnamed third party that its customers' card data may have been compromised.
The retailer says that in some cases, attackers infected devices that stored log data with malware "that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data."
Forever 21's breach investigation has so far confirmed that some U.S. stores were affected. The company did not immediately respond to a request for comment about how many stores suffered malware infections or how many payment cards may have been compromised. The retailer says it's working with law enforcement agencies to investigate the breach as well as with payment card networks to notify financial services firms whose customers' card data may have been compromised.
The retailer has recommended that all customers monitor their bank and other financial statements for signs that they may have been the victim of identity theft or fraud. "You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner," it says.
International Stores Affected?
It's not yet clear if Forever 21 retail stores located outside of the United States may have also been breached by malware-wielding attackers. The retailer operates stores in numerous countries, including Canada, Ireland, Japan, Singapore, South Korea and the United Kingdom.
"Forever 21 stores outside of the U.S. have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved," the retailer says.
Payment Card Data Breach Epidemic
Confirmation that Forever 21 was hacked with POS malware makes it the latest victim in a long line of payment card breach victims. This epidemic is largely centered on U.S. restaurants, retailers and hotels (see Chipotle: Hackers Dined Out on Most Restaurants).
The problem is compounded by the ease of procuring card-scraping malware from underground cybercrime forums as well as poor information security practices by many organizations in the hospitality and retail sectors, according to Verizon's 2017 Data Breach Investigations Report.
Some information security experts recommend that any organization that uses POS terminals should assume they have been breached unless it can demonstrably and repeatedly prove otherwise.
Beyond targeting POS systems, attackers have also focused on POS system providers. In 2016, Oracle issued an alert about its MICROS point-of-sale hardware and software, used across 330,000 customer sites in 180 countries, warning that it had "detected and addressed malicious code in certain legacy MICROS systems." Security experts say many more POS vendors have also been targeted (see Breach Alert: POS Vendor Lightspeed).
Forever 21 has not disclosed the identity of its POS device provider.