Forever 21 reports data breach, failed to turn on POS encryption
Forever 21 reports data breach, failed to turn on POS encryption

The clothing retailer Forever 21 reported yesterday that unauthorized access to its payment card system  when the encryption installed on some of those systems was not operational.

The Los Angeles-based chain said in a statement that it was informed of the problem by a third-party vendor and that the issue took place between March and October 2017. The 600-store chain noted that only a limited number of point-of-sale payment systems were affected, although the company did not issue say how many could be involved. The retailer had rolled an encryption and tokenization solution to secure its POS stations in 2015, but for an as yet unstated reason this was not in operation in all of its locations.

“Because the investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation. Forever 21 expects to provide an additional notice as it gets further clarity on the specific stores and timeframes that may have been involved,” the company said.

The fact that encryption was turned off on some of the company's payment card readers is indicative of poor cybersecurity hygiene, said Mike Kail, CTO of Cybric.

"Surprised and disappointed to hear this as it sounds like they weren't (fully) PCI compliant. That is the first issue that they should disclose and whomever performed the audit should be held accountable. This continued poor hygiene needs to end." 

This revelation comes at a particularly bad time as U.S. retailers are gearing up for Black Friday and the holiday shopping season. Frances Zelazny, VP of behavioral biometrics at BioCatch, recommended that retailers redouble their vigilance when it comes to protecting their POS systems and to be very careful to make sure any security updates received via email are legitimate and not a phishing scheme.