Malware harvested customer payment details for seven months last year

After completing its investigation into a potential data breach that was first disclosed in November, US fashion retailer Forever 21 has confirmed that some of its in-store point of sale (POS) systems were compromised over a seven-month period last year.

Providing an update to customers last week, the Los Angeles-based company said forensic experts found signs of unauthorized network access and POS malware designed to search for payment card data.

While Forever 21 said its payment processing systems have been using encryption since 2015, the investigation determined that the encryption technology on some POS devices was not always on, and that malware was installed “on some devices in some US stores at varying times” between April 3 and November 18.

In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.

Although in some stores this scenario occurred for only a few days or weeks, it was found that some stores were impacted by the malware for most, or all, of the timeframe.

This seven-month window might be even wider, however, as Forever 21 said its payment systems keep a log of completed card transaction authorizations. “If encryption was off on a POS device prior to April 3, and that data was still present in the log file at one of these stores, the malware could have found that data,” the retailer stated.

Following the investigation, Forever 21 said it has been working with its payment processors, POS device provider, and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores.

“In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures,” the company said. “We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident.”