Forever 21's POS system was breached for months, exposing customer credit card details

Polycount

Posts: 2,402   +541
Staff member

It seems Equifax isn't the only company that's accidentally exposed sensitive customer information this year. Popular clothing retailer Forever 21 had its payment system compromised at retail locations throughout the country for several months during 2017.

After hiring "leading payment technology and security firms" to assist with their investigation into the issue, the company discovered that some POS systems at certain Forever 21 store locations had their built-in encryption mechanisms switched off, which allowed malware to be installed. This malware in turn allowed hackers to search for and likely obtain sensitive customer credit card data.

"In most instances, the malware only found track data that did not have a cardholder name," Forever 21's official customer notice reads. "But occasionally the cardholder name was found."

These hacks reportedly took place at "varying times" between April 3rd and November 18th, 2017, leaving the company's customer base vulnerable for roughly 8 months - though it's possible that at certain Forever 21 locations credit card data stored in system logs prior to April 3rd could also have been exposed.

The company has made it clear that the length of time each affected POS system was vulnerable varies greatly from store to store. "In some stores, this scenario occurred for only a few days or several weeks," Forever 21 said in a statement. "and in some stores this scenario occurred for most or all of the timeframe."

Forever 21 has not yet released any specific information regarding how they plan to prevent these issues from happening in the future, though they have promised to "[continue working with] security firms to enhance [their] security measures." That said, the company has advised their customers to obtain copies of their credit reports and consider placing a fraud alert on their credit files if they have reason to believe they may have been affected by this data breach.

This isn't the first time a major retailer has been hit by a cyberattack. GameStop and Chipotle were both the targets of similar attacks during April and May, 2017 respectively.

Permalink to story.

 

captaincranky

Posts: 16,056   +4,856
Here I thought that "POS" stood for "Piece of Sh!t" Imagine my humiliation, shame, and embarrassment, when I realized it meant , "Point of Service".:D

And then, in furtherance of my own confusion, I expected that, "Forever 21" would be a dating service for people who constantly lie about their ages.:confused:
 

cliffordcooley

Posts: 12,324   +5,705
Here I thought that "POS" stood for "Piece of Sh!t" Imagine my humiliation, shame, and embarrassment, when I realized it meant , "Point of Service".
I'm not sure they are not one and the same.
Is there any reason why they cant release which stores had the breaches...?
The same ole BS, people will panic. Then they will run to their pathetic lawyers. It's already a PR nightmare of which they can't stop. They don't want to condense it to a confined location. They are hoping this way it will blow over quicker, and they are probably correct.
 
Last edited:

Polycount

Posts: 2,402   +541
Staff member
  • Thread Starter Thread Starter
  • #5
Here I thought that "POS" stood for "Piece of Sh!t" Imagine my humiliation, shame, and embarrassment, when I realized it meant , "Point of Service".:D

And then, in furtherance of my own confusion, I expected that, "Forever 21" would be a dating service for people who constantly lie about their ages.:confused:
HAH! Sorry for the confusion. I did indeed mean "Point of Sale." Maybe if this was an opinion article I could have intended POS to mean something else - joking, joking...

True, Forever 21 does sound like a dating service, or something similar at the very least. The only reason I knew what it was prior to covering this debacle is that my niece loves to shop there. It's... not really my cup of tea, let's put it that way.
 

seefizzle

Posts: 422   +292
There is much bs in this article. Not that the article is written poorly, that the facts don't line up very well with how point of sale systems work. You can't just "turn off encryption". If you turned off the encryption the cards wouldn't process at all because the credit card processor is expecting an encrypted communication. If you sent them non encrypted information they would return an error. Also, there is no difference between track data, so there's no way you get some track data and not all track data. Not to mention, a card's track data shouldn't even be read anymore as we've moved onto EMV chip transactions. EMV doesn't use "track data" like card swipes do. Was Forever 21 processing cards in an EMV manner or not? If not, they have nobody to blame but themselves because the EMV implementation should have happened 2 years ago.

Forever 21 is just b*llshitting everyone at this point. Maybe they have an older, not-very-secure point of sale system running non emv transactions. If that's the case, Forever 21 should be telling us about how they're upgrading their systems at all their stores, locking down firewalls, doing complete PCI DSS testing, and overhauling their user access policies. Instead they've made up a bunch of illogical excuses.

Also, this is like the 50th major retailer that's been hacked. It's not like these companies don't know being hacked is a risk. At what point are these companies held criminally responsible for not securing their networks? At this point every single American in this country has had their card numbers stolen probably 2 or 3 times over. Is this just the new reality? Once or twice a year you gotta cancel your cards because you used your card to buy drywall mud at Home Depot or a pair of underwear at the mall. Payment technology will have to change here eventually.