Fast-fashion giant details security breach
Forever 21 is ramping up security at its checkout counters.
The fast-fashion retailer announced that a two-month investigation had confirmed unauthorized access to its computer network through malware installed on point-of-sale devices at some of its U.S. stores. News of the breach was first disclosed in November.
Forever 21 said its payment processing system has been using encryption technology since 2015. Its investigation determined that the encryption technology on some POS devices at some stores (it did not reveal how many locations were impacted) was not always on and that malware had been installed by criminals looking to mine the system for customer payment data. The chain said the malware searched only for track data read from a payment card as it was being routed through the POS device, and that, in most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code. However, in some instances, the cardholder name was found.
The breach in the system occurred between April 3 and Nov. 18 of 2017. In some stores, it occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe. Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved, according to the company.
The company’s investigation also found some stores’ authorized payment data logs could have also potentially been under attack by the malware.
Forever 21 said it has been working with its payment processors, POS device provider, and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores
“In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures,” the company said in a statement. “We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement’s investigation of this incident.”
Forever 21 operates more than 815 stores in 57 countries.
The fast-fashion retailer announced that a two-month investigation had confirmed unauthorized access to its computer network through malware installed on point-of-sale devices at some of its U.S. stores. News of the breach was first disclosed in November.
Forever 21 said its payment processing system has been using encryption technology since 2015. Its investigation determined that the encryption technology on some POS devices at some stores (it did not reveal how many locations were impacted) was not always on and that malware had been installed by criminals looking to mine the system for customer payment data. The chain said the malware searched only for track data read from a payment card as it was being routed through the POS device, and that, in most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code. However, in some instances, the cardholder name was found.
The breach in the system occurred between April 3 and Nov. 18 of 2017. In some stores, it occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe. Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved, according to the company.
The company’s investigation also found some stores’ authorized payment data logs could have also potentially been under attack by the malware.
Forever 21 said it has been working with its payment processors, POS device provider, and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores
“In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures,” the company said in a statement. “We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement’s investigation of this incident.”
Forever 21 operates more than 815 stores in 57 countries.