Forever 21 says that an investigation conducted by a third-party incident response firm that it hired has found that malware infected some POS devices last year between April 3 and November 18, and that in some cases “encryption technology” being used by its “payment processing system” was not active, allowing malware-wielding attackers to steal payment card data that was being stored in logs of completed transactions.
Retailers take note: “encryption technology” being used by its “payment processing system” was not active
This far Forever 21 is aware that stores suffered breaches lasting as long as the entire seven months, while others were breached “for … a few days or several weeks,” Forever 21 says. “We regret this incident occurred and any concern this may have caused you.”
Founded in California in 1984, Forever 21 says it’s the fifth largest specialty retailer in the United States.
The privately-held retailer says malware stole payment card data from U.S. customers when they paid via infected POS systems. In some cases, the retailer’s systems were also inadvertently storing logs of completed transactions that included payment card data, which attackers may have also obtained, it says.
Retailers take note: ”the retailer’s systems were also inadvertently storing logs of completed transactions that included payment card data”
“The investigation determined that the encryption technology on some point-of-sale devices at some stores was not always on,” Forever 21 says, “The investigation also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device.”
Forever 21 says the malware obtained shoppers’ card number, expiration date and internal verification code and in some cases also cardholders’ names.
Forever 21 says that since launching its breach investigation, it has been “working with its payment processors, POS device provider and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores.”
Retailers take note: Work with your payment processors, POS device provider and third-party experts to address the operation of encryption on POS devices and systems.
As required by law, the retailer has must notify all customers to monitor their bank and other financial statements for signs that they may have been the victim of identity theft or fraud. “You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner,” it says.
Retailers take note: Procuring card-scraping malware from underground cybercrime forums as well as poor information security practices by many organizations in the hospitality and retail sectors, according to Verizon’s 2017 Data Breach Investigations Report.
Retailers take note: Every organization that uses POS terminals should assume they have been breached unless it can demonstrably and repeatedly prove otherwise.
Attackers are very focused on POS system providers. In 2016, Oracle issued an alert about its MICROS point-of-sale hardware and software, used across 330,000 customer sites in 180 countries, warning that it had “detected and addressed malicious code in certain legacy MICROS systems.” Many more POS vendors have also been targeted .
Forever 21 has not disclosed the identity of its POS device provider.
Ron Benvenisti