Clothed mannequins in Forever 21

Forever 21 confirms seven-month security breach

Image credit: Dreamstime

The popular US-based fast fashion chain has confirmed that hackers were able to gain access to customers’ data for more than half a year in 2017 because encryption had been turned off on some point-of-sale (POS) devices.

This is not the first time the company has been accused of failing to protect its customers’ privacy sufficiently. In 2008, Forever 21 confirmed that hackers had accessed payment data - including information from nearly 100,000 different payment cards, although not including cardholder names - between 2004 and 2007. The company was made aware of the security breach when the US Department of Justice charged 11 hackers with the theft and sale of payment card information from major retailers, including Forever 21.

In November 2017, the company gave notice of another “payment card security incident”, stating that “there may have been unauthorised access to data from payment cards that were used at certain Forever 21 stores.”

The company said that it immediately began an investigation of the system with the assistance of a leading cyber-security firm. It has now reported that the encryption technology on some POS devices - introduced in 2015 - was not always on and that there were signs of unauthorised network access and installation of malware on some devices, intended to harvest payment card information. While this mostly only collected card number, expiry date and internal verification code, in some cases the company reported that this was able to collect cardholder names, as well as other information.

The encryption technology was switched off for seven months, leaving sensitive customer information vulnerable to malware from 3 April to 18 November 2017. The POS devices remained unencrypted for several days or weeks at a time.

Malware was also found to have been installed on instore devices which are used to store data from recently completed card transactions.

Stolen credit and debit card details can be bought on the ‘Dark Web’ for as little as £11.

Forever 21 stated that it regrets the security breach and is working alongside experts to improve security for in-store payments. Customers have been advised to check their card statements and report suspicious transactions.

Gigantic data leaks affecting millions of customers at a time have occurred frequently in recent years, including incidents affecting three billion Yahoo users from 2013-14, 412 million Adult Friend Finder account holders in 2016 and 57 million Uber users in 2016 - the latter incident controversially hidden by the company for over a year.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them