Breach, Threat Management, Data Security, Encryption, Malware

Forever 21 blames POS malware, lapses in encryption, for payment card data compromise

A point-of-sale malware infection was responsible for compromising payment card data collected at certain Forever 21 stores last year – an attack that was exacerbated by a lack of encryption on some devices, the apparel retailer stated last week in its update to a previous incident disclosure.

A Dec. 28 news release published by the $4 billion Los Angeles-based company confirmed that a malicious party accessed data from some customers' payment cards between Apr. 3 and Nov. 18, 2017 – an act that was made possible through a combination of a malicious attack and a lapse in proper POS security.

An investigation spearheaded by the retailer determined that encryption technology in a number of POS devices was not always turned on during the time period of the attack. The unprotected data recorded by these devices were then subsequently stored on devices designed to log payment transaction authorizations. Unfortunately, the attackers had gained unauthorized access to the retailer's network, allowing them to infect some of these devices with malware capable of reading payment card magstripe track data, including card numbers, expiration dates, internal verification codes, and occasionally even cardholders' names.

“So if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data,” Forever 21 stated in its disclosure. “In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe,” the retailer warned.

In most cases, only one or a few POS devices in an affected location were infected, the company added.

Forever 21 also said that it is actively collaborating with its payment processors, its POS device provider, and third-party experts “to address the operation of encryption on the POS devices in all Forever 21 stores,” and that it is striving to enhance its security measures. Moreover, the company said it was still trying to ascertain of any of its 21 stores outside the U.S., which have different payment processing systems, were impacted by the incident.

The retailer initially reported the incident in a news release posted on Nov. 15, but at the time referenced only the lack of encryption and not the malware infection.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals. They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web,” said Mark Cline, a VP at managed security services provider Netsurion, in emailed comments. “With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to $172 per stolen record in clean-up costs.”

Forever 21 has set up a toll-free help line for customers at 855-560-4992.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.