Fashion retailer Forever 21 confirmed a breach made public in November resulted in the theft of credit card data belonging to an undisclosed number of customers.
The company had stated that a lack of encryption used on some of its point-of-sales payment terminals could have resulted in unauthorized access to payment card data. In its most recent update, issued last week, Forever 21 now states effected PoS terminals allowed hackers to install malicious software for nearly eight months in 2017.
“The investigation found that encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017,” the company said in a recently released statement. “In some stores, this scenario occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe.”
The company said each of its Forever 21 retail outlets uses multiple PoS terminals, but at some stores a number of devices did not have encryption enabled. It said hackers targeted those few stores and the vulnerable PoS devices that kept logs of completed payment transaction authorizations.
“In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs,” the company said.
Malware on affected PoS devices searched only for track data read from payment cards as they were routed through the POS device, the company said. “In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.”
Still unknown is how many of Forever 21’s customers were effected that shopped at one