Forever 21 Inc. announced Thursday that a two-month investigation confirmed unauthorized access to the clothing company’s computer network through malware installed on point-of-sale devices at some of its U.S. stores.
Los Angeles-based Forever 21 said in a statement the malware was able to detect data from a payment card as it was being routed through the devices, also called POS devices.
In most of those instances, the malware only found data that did not have a cardholder’s name to go along with the card number, expiration date and internal verification code illegally lifted from the POS devices, but occasionally the cardholder name also was stolen, the company said.
The investigation found that successful malware invasions often resulted when POS devices at some Forever 21 stores in the U.S. were turned off at varying times from April 3 to Nov. 18, the company said.
In some stores, this scenario occurred for only a few days or several weeks, but in some stores the scenario occurred for most or all of the timeframe.
Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved, officials said.
Additionally, a device that keeps a log of completed payment card transaction authorizations was vulnerable to malware hacking when encryption was off, allowing access to payment card data was being stored in this log
“In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data,” the company said.
“Because of the encryption … solutions that Forever 21 implemented in 2015, it appears that only certain point-of-sale devices in some Forever 21 stores were affected when the encryption on those devices was not operating.” the statement said.
The company said its investigation mainly is focused on card transactions in Forever 21 stores from March through October.
“Because the investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation,” according to the company.
“Forever 21 expects to provide an additional notice as it gets further clarity on the specific stores and timeframes that may have been involved.”
Forever 21 operates more than 815 stores in 57 nations, including the U.S., Australia, Brazil, Canada, China, France, Germany, Hong Kong, India, Israel, Japan, South Korea, Latin America, Mexico, the Philippines and the United Kingdom.
Company officials said if customers see an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.
Customers with questions can call (855) 560-4992 between 8 a.m. – 6 p.m. weekdays.
–City News Service
>> Want to read more stories like this? Get our Free Daily Newsletters Here!Follow us: