Forever 21’s POS Hack Went Unnoticed For 8 Months

Forever 21 has provided an update on a payment card data breach that it first reported in mid-November. According to the national clothing retailer, encryption technology on some of its point-of-sale devices at certain store locations wasn’t always activated.

In a Dec. 28 press release, the company said that after being alerted to unauthorized access to data from its payment card in the middle of October, it hired a payment technology and security firm to help investigate the breach. The investigation determined that the encryption on its POS systems wasn’t always on. In addition, there were signs of unauthorized network access and the installation of malware on some of its POS devices, which was designed to search for payment card information.

The retailer noted the malware searched only for track data read from a payment card as it was being routed through the POS device. In most cases, the malware didn’t find cardholder names, but did locate card numbers, expiration dates and internal verification codes. Cardholders’ names were only found occasionally.

“Forever 21 has been working with its payment processors, POS device provider and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores,” the company said in the press release. “Forever 21 stores outside of the U.S. have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved.

“In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures. We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement’s investigation of this incident.”