Forever 21: Hackers breached payment system for 7 months

If you shopped in a brick-and-mortar Forever 21 store this year, your credit card information may have been compromised due to the company’s failure to turn on encryption in some of its point-of-sale (POS) terminals.

In mid-November, Forever 21 admitted that a third party “suggested” there might have been unauthorized access to payment card data. On Dec. 28, 2017, the company revealed more details about the breach without actually saying how many customers were potentially affected or even which stores had the compromised POS devices.

For starters, the investigation into the security incident revealed that hackers had access to customers’ payment card data for up to seven months in 2017 – from April 3 to Nov. 18. Attackers had obtained network access and installed malware meant to harvest credit card data. But the real mind-blower is that encryption was not even turned on in some of Forever 21’s POS devices.

Sure, the company said it implemented encryption technology in 2015, yet the “leading payment technology and security firms” investigating the unauthorized access determined the built-in encryption on some POS devices “was not always on.”

According to newest payment card security incident report, Forever 21 explained that in addition to the lack of encryption in some of the retail stores’ POS devices, investigators hired in October “found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data.”

The malware, Forever 21 said, “searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name — only card number, expiration date, and internal verification code — but occasionally the cardholder name was found.”

Forever 21 added:

The investigation found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017, to November 18, 2017. In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe. Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved.

Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.

Not the first time Forever 21 admitted to being hacked

While that is better than no details, there were certainly more hard numbers provided the last time Forever 21 was hacked. In 2008, Forever 21 announced that the U.S. Secret Service had given the company a disk of customers’ compromised payment data, which included 98,930 credit and debit card numbers. Hackers had accessed payment data on nine different dates from March 2004 to August 2007. Approximately 20,500 of those had been obtained from the Forever 21 retail store in Fresno, California, between November 2003 and October 2005.

Forever 21 said it “regrets” this latest security incident and is working with experts to address its encryption failure in POS devices. It is also working to determine if payment systems used in its stores outside the U.S. had been affected. Payment data via purchases from its website reportedly were not affected.