Fast-fashion retailer Forever 21 revealed more details last week on the company's failure to turn on encryption in some of its point-of-sale terminals in the US during the period from April 3, 2017 to November 18, 2017, which leave customer payment card information exposed to hackers.
The retailer first admitted that it received a report from a third party in mid-October 2017, "suggesting" there have been unauthorised access to data from payment cards.
According to its investigation report, the malware found tracked data like card number, expiration date, internal verification code, and "occasionally" - the cardholder name.
"In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe," the company explained.
"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved. Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorisations. When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data."
The retailer said Forever 21 stores outside of the U.S. have different payment processing systems, and investigation is ongoing to determine if any of these stores are involved. On the other hand, payment cards used on Forever 21’s website, www.forever21.com, were not affected.
It added that the company is now addressing encryption with its payment processors, POS device provider, and third-party experts, as well as working with security firms to enhance its security measures. " We regret this incident occurred and any concern this may have caused," it said.