Fashion retailer Forever 21 confirmed a breach made public in November resulted in the theft of credit card data belonging to an undisclosed number of customers.
The company had stated that a lack of encryption used on some of its point-of-sales payment terminals could have resulted in unauthorized access to payment card data. In its most recent update, issued last week, Forever 21 now states effected PoS terminals allowed hackers to install malicious software for nearly eight months in 2017.
“The investigation found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017,” the company said in a recently released statement. “In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe.”
The company said each of its Forever 21 retail outlets uses multiple PoS terminals, but at some stores a number of devices did not have encryption enabled. It said hackers targeted those few stores and the vulnerable PoS devices that kept logs of completed payment transaction authorizations.
“In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs,” the company said.
Malware on affected PoS devices searched only for track data read from payment cards as they were routed through the POS device, the company said. “In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.”
Still unknown is how many of Forever 21’s customers were effected that shopped at one of the company’s 815 stores. Also unknown is the malware variant used in the attack.
The company said it has hired security experts to help work with PoS device makers and payment processors to “address encryption” issues at all its stores to enhance security measures. It said it’s unsure if stores outside the US are impacted, because those stores us a different processing systems.
Forever 21 joins a crowded list of retailers and hotel chains bitten by PoS-style attacks in 2017. Over the past 12 months, there has been a number PoS systems targeted in attacks by a growing list of malware.
In July, Arbor Networks reported botnets distributing FlokiBot point-of-sale malware had returned spewing a new malware dubbed LockPoS. In October, Hyatt Corp. warned of a credit card breach affecting 41 of its hotels. Also reporting credit card data breaches in 2017 is InterContinental Hotels Group, the Hard Rock Hotels and Casinos franchise and the travel services company Sabre Corp.