Forever 21 Confirms Payment Card Breach Caused by POS Malware, Misuse

Fashion retailer Forever 21 confirmed investigation details of a 2017 breach involving unauthorized payment card data access at an undisclosed number of its stores due malfunctioning encryptions on POS devices.

The payment card security incident, first reported on November 14, 2017, centers on Forever 21’s payment processing system and its encryption technology.

After receiving a report from a third party in mid-October 2017 suggesting there may have been unauthorized access to payment card data at certain Forever 21 stores, the Los Angeles-based retail chain said it immediately began an investigation. “We hired leading payment technology and security firms to assist,” Forever 21 said in a statement.

The investigation determined that the encryption technology on some point-of-sale devices at some stores was not always on. The examination also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. “The malware searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.”

The enquiry found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017. In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe.

The statement indicated each Forever 21 store has multiple POS devices, and in most instances involved only one or a few of the POS devices. Additionally, Forever 21 stores retain logs of completed payment card transaction authorizations. With encryption turned off, payment card data collected in the logs. In a group of stores involved in this incident, malware installed on the log devices could locate payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017, then the malware could find data retained in the log file at one of these stores.

“Forever 21 has been working with its payment processors, POS device provider, and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores. Forever 21 stores outside of the U.S. have different payment processing systems, and the investigation is ongoing to determine if any of these stores are involved,” Forever 21 stated.

The company, which operates more than 815 stores in 57 countries, did not reveal the stores affected. Payment cards used on Forever 21’s website, www.forever21.com, were unaffected.

“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals. They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web,” Mark Cline, a VP at Fort Lauderdale, Fla.-based Netsurion, a provider of managed security services for multi-location businesses, said. “With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to $172 per stolen record in clean-up costs. A major retailer just paid $18.5 million to address the impact of its 2013 hack, which resulted in 41 million stolen credit cards.”

Cline suggested if retail businesses should protect themselves from POS malware, ransomware and other threats. They may be running anti-virus software and managed firewalls, but may not run active monitoring and threat detection including vulnerability scans, updating all operating system and software upgrades and patches immediately, setting up next-generation security systems and firewalls; and using a security information and event management applications to analyze all of the organization’s data.

Advertisement. Closing in 15 seconds.