POS Data Breach Detected at Forever 21 Stores

Forever 21, which has its stores worldwide, has detected a computer data breach that could have happened over a long time, at least eight months.

It was on November 14, 2017 that Forever 21 notified its customers about the breach, through a press release which said- “FOREVER 21 is notifying its customers that it recently received a report from a third party that suggested there may have been unauthorized access to data from payment cards that were used at certain FOREVER 21 stores. Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist.”

Forever 21, Inc., which is headquartered in Los Angeles, California and operates over 815 stores in 57 countries (with retailers in the U.S, U.K, Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Israel, Japan, Korea, Latin America, Mexico and Philippines), had implemented encryption and tokenization solutions in 2015. The press release states that because of the encryption and tokenization solutions, it seems that only certain POS devices in some of its stores have been impacted. This has happened when the encryption on those POS devices was not in operation; Forever 21 began investigations focusing on card transactions that happened at its stores during the period between March 2017 and October 2017. As the company began the investigations, it also advised customers to monitor their payment card statements and notify banks in case they detected any unauthorized charges.

The investigations were done; Forever 21 hired leading payment technology and security firms to assist in the investigation process. The findings from the investigation have been published in a press release dates December 28, 2017. The investigation proved that some POS devices at the Forever 21 stores were affected.

The December 28th press release states- ” The investigation found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017. In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe. Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved. Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.”

Forever 21 has been working with its POS device provider, payment processors, third-party advisors etc to clear the encryption-related issue in all of its stores. The company is also investigating if any of its stores outside of the U.S. Too have been involved. It has been clarified that payment cards used on the company’s website have not been impacted.