Happy New Year Forever 21 customers! You’re starting 2018 off with the knowledge your personal credit card information could have been stolen. In a follow-up to an incident that occurred November 14th, Forever 21 is confirming that they did indeed suffer a data breach. The company says they have been using encryption technology in their POS systems since 2015 but an investigation showed it had been turned off. The company did not say how many customers were affected by the breach only saying various POS terminals were affected between April 3rd and November 18th, 2017.
Since 2015, Forever 21’s payment processing system has been using encryption technology. After receiving a report from a third party in mid-October 2017 suggesting there may have been unauthorized access to data from payment cards that were used at certain Forever 21 stores, we immediately began an investigation. We hired leading payment technology and security firms to assist. The investigation determined that the encryption technology on some point-of-sale (POS) devices at some stores was not always on. The investigation also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.
The investigation found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017, to November 18, 2017. In some stores, this scenario occurred for only a few days or several weeks, and in some stores, this scenario occurred for most or all of the timeframe. Each Forever 21 store has multiple POS devices, and in most instances, only one or a few of the POS devices were involved. Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data.
The company also wants to let online customers that they are not part of this breach, only in-store POS systems were affected. The company is still working on the investigation and perhaps will provide the number of accounts and users were affected. In the meantime, if you want to contact the company you can at 1-855-560-4992 Monday through Friday between the hours of 8:00 a.m. to 6:00 p.m. P.S.T.