Security & Fraud

Forever 21’s POS Hack Went Unnoticed For 8 Months

Forever 21 has provided an update on a payment card data breach that it first reported in mid-November. According to the national clothing retailer, encryption technology on some of its point-of-sale devices at certain store locations wasn’t always activated.

In a Dec. 28 press release, the company said that after being alerted to unauthorized access to data from its payment card in the middle of October, it hired a payment technology and security firm to help investigate the breach. The investigation determined that the encryption on its POS systems wasn’t always on. In addition, there were signs of unauthorized network access and the installation of malware on some of its POS devices, which was designed to search for payment card information.

The retailer noted the malware searched only for track data read from a payment card as it was being routed through the POS device. In most cases, the malware didn’t find cardholder names, but did locate card numbers, expiration dates and internal verification codes. Cardholders’ names were only found occasionally.

“Forever 21 has been working with its payment processors, POS device provider and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores,” the company said in the press release. “Forever 21 stores outside of the U.S. have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved.

“In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures. We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement’s investigation of this incident.”



Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.