A point-of-sale malware infection was responsible for compromising payment card data collected at certain Forever 21 stores last year – an attack that was exacerbated by a lack of encryption on some devices, the apparel retailer stated last week in its update to a previous incident disclosure.
A 28 December news release published by the US$ 4 billion (£2.9 billion) Los Angeles-based company confirmed that a malicious party accessed data from some customers' payment cards between 3 April and 18 November, 2017 – an act that was made possible through a combination of a malicious attack and a lapse in proper POS security.
An investigation spearheaded by the retailer determined that encryption technology in a number of POS devices was not always turned on during the time period of the attack. The unprotected data recorded by these devices was then subsequently stored on devices designed to log payment transaction authorisations. Unfortunately, the attackers had gained unauthorised access to the retailer's network, allowing them to infect some of these devices with malware capable of reading payment card magstripe track data, including card numbers, expiration dates, internal verification codes, and occasionally even cardholders' names.
“So if encryption was off on a POS device prior to 3 April 2017 and that data was still present in the log file at one of these stores, the malware could have found that data,” Forever 21 stated in its disclosure. “In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe,” the retailer warned.
In most cases, only one or a few POS devices in an affected location were infected, the company added.
Forever 21 also said that it is actively collaborating with its payment processors, its POS device provider, and third-party experts “to address the operation of encryption on the POS devices in all Forever 21 stores,” and that it is striving to enhance its security measures. Moreover, the company said it was still trying to ascertain of any of its 21 stores outside the US, which have different payment processing systems, were impacted by the incident.
The retailer initially reported the incident in a news release posted on 15 November, but at the time referenced only the lack of encryption and not the malware infection.
“With its endless POS endpoints, the retail industry has always been a desirable target for cyber-criminals. They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web,” said Mark Cline, a VP at managed security services provider Netsurion, in emailed comments. “With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit. Companies must pay up to US$ 172 (£126.6) per stolen record in clean-up costs.”