The clothing store is far from the only company to experience a data breach in the last year: Verizon, Uber, and of course, Equifax also experienced major incidents that put customer information at risk, highlighting the need for more concentrated security efforts to keep business running.
In October 2017, a third party informed Forever 21 of a potential breach to their system, with unauthorized users possibly accessing customer payment information. The company first informed customers of the incident in November 2017, as noted by our sister site ZDNet, though few details were available.
The company launched an investigation, and found that while they have used encryption in their point of sale (POS) systems since 2015, machines in some stores had the protection turned off. Further, signs of unauthorized access and malware that searches for payment information were found on some POS devices that were no longer encrypted.
“The malware searched only for track data read from a payment card as it was being routed through the POS device,” according to the statement. “In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.”
Forever 21 determined that encryption was turned off and malware was downloaded on some POS devices in US stores intermittently between April and November 2017. In certain stores, this occurred for only a few days or weeks, but it lasted for months in others, the statement said. In most cases, only one or a few of a store’s multiple POS devices were impacted.
Malware was also found in some of the logs kept by each store that record card transactions when their encryption was turned off, potentially putting more card information at risk.
Credit and debit cards used to make purchases on Forever21.com were not affected, according to the statement. Investigations are ongoing as to whether or not POS machines in stores outside of the US were also affected.
Forever 21 advised customers to review bank statements for any unauthorized activity, and to report such charges to the card issuer.