Clothing giant Forever 21 has confirmed that customers’ credit card info was freely available to hackers from April until November 2017.
Most shocking was the confession that the company’s encryption software had been turned off entirely at many locations, some of which were left completely defenseless for the entire seven-month period.
As a result of failing to encrypt their data, Forever 21 reported that malware had been installed on some till devices in their stores.
This malware could dig through Forever 21’s stored logs of customers transactions and extract the payment card data of customers.
The data breach was revealed to Forever 21 by “a third party” in October 2017. The company responded with an investigation, employing security firms and leading payment technology to uncover the extent of the damage.
The investigation revealed that “in most cases” hackers were able to obtain the card number, expiration date, and internal verification code of a given transaction, stressing that only “occasionally” was the cardholder name also found.
Forever 21 was unable to confirm if the data breach has occurred in stores outside of the USA, although it has said that transactions on their online store were unaffected by the hack.
Due to the nature of the discovered malware, and the unclear extent of their problem with encryption software being ‘not always on’, it is possible that customer card data from transactions prior to April 2017 may have also been stolen.
There are still no details on exactly how many people have been affected by the breach.
The only information Forever 21 is willing to reveal is a vulnerability at “some devices in some US stores at varying times”.
Considering that Forever 21 is one of the largest clothing retailers in the world, with 800 stores operating in 57 countries, including three locations in the UK, the potential damage could be huge.
Back in 2008, Forever 21 was notified of another security breach when the credit card data of almost 100,000 customers was stolen in nine separate attacks.
In response to this most recent failing, the company had this to say: “Forever 21 is continuing to work with security firms to enhance its security measures. We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement’s investigation of this incident.”
If you have been a customer at a Forever 21 store in 2017, it is strongly advised that you get your payment cards checked and change the PINs and passwords to your associated accounts.
If you notice any unauthorized transactions on your account, notify your credit card company or bank immediately.
In many cases, you will not be held liable for fraudulent use of your card.
MAIN IMAGE: Dan De Luca/CC BY 2.0