Apparel retailer Forever 21 says point-of-sale systems in some of its stores were infected by malware for up to seven months, compromising shoppers' payment card data.
On Tuesday, Forever 21 issued an update on its investigation into the "payment card security incident" that it first announced in November.
The retailer now says that an investigation conducted by a third-party incident response firm that it hired has found that malware infected some POS devices last year between April 3 and November 18, and that in some cases "encryption technology" being used by its "payment processing system" was not active, allowing malware-wielding attackers to steal payment card data that was being stored in logs of completed transactions.
Some stores suffered breaches lasting for the entire seven months, while others were breached "for only a few days or several weeks," Forever 21 says. "We regret this incident occurred and any concern this may have caused you."
Privately held Forever 21 sells "cheap chic" women's and men's clothing and accessories, catering especially to teenage girls and young women, and operates about 400 stores globally, many located in shopping centers. Founded in California in 1984, Forever 21 says it's the fifth largest specialty retailer in the United States.
The retailer says malware stole payment card data from U.S. customers when they paid via infected POS systems. In some cases, the retailer's systems were also inadvertently storing logs of completed transactions that included payment card data, which attackers may have also obtained, it says.
"The investigation determined that the encryption technology on some point-of-sale devices at some stores was not always on. The investigation also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device," Forever 21 says in its data breach update.
Forever 21 says the malware obtained shoppers' card number, expiration date and internal verification code and in some cases also cardholders' names.
International Stores Affected?
It's not yet clear if Forever 21 retail stores located outside of the United States may have also been breached by malware-wielding attackers. The retailer operates stores in numerous countries, including Canada, Ireland, Japan, Singapore, South Korea and the United Kingdom.
"Forever 21 stores outside of the U.S. have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved," the retailer says.
Payment Card Data Breach Epidemic
The problem is compounded by the ease of procuring card-scraping malware from underground cybercrime forums as well as poor information security practices by many organizations in the hospitality and retail sectors, according to Verizon's 2017 Data Breach Investigations Report.
Some information security experts recommend that any organization that uses POS terminals should assume they have been breached unless it can demonstrably and repeatedly prove otherwise.
Beyond targeting POS systems, attackers have also focused on POS system providers. In 2016, Oracle issued an alert about its MICROS point-of-sale hardware and software, used across 330,000 customer sites in 180 countries, warning that it had "detected and addressed malicious code in certain legacy MICROS systems."