Malware Attack at Forever 21 POS Continued for 7 Months

A recently identified Forever 21 POS malware attack has resulted in customers’ credit card data being accessed. While malware attacks on retail POS systems are now a regular occurance, in the case of the Forever 21 POS malware attack, the security breach is significant due to the length of time malware was enabled on its systems. Hackers first obtained access to its POS system seven months before the infection was noticed.

The Forever 21 POS malware infections were first discovered in October, when a third-party connected credit card fraud to customers who had previously visited Forever 21 stores. The possible malware infections were reviewed and a third-party cybersecurity firm was called in to help.

Forever 21 first made the public announcement about a data breach in November, although the investigation has been constant and now new details about the attack have been released.

The investigation has shown that the attack was extensive and impacted many POS devices used in its U.S. stores. The Forever 21 POS malware attack began on April 3, 2017, with further devices infiltrated over the following 7 months until action was taken to safeguard its systems on November 18, 2017. Forever 21 reports that some POS devices in its stores were only accessed for a few days, others for a few weeks, while some were compromised for the entire seven months.

Reacting to the increased threat of cyber attacks on retailers, Forever 21 started deploying encryption technology on its payment processing systems in 2015; however, the investigation showed the encryption technology was not always enabled.

While the encryption technology was enabled, the hackers would have been unable to obtain the credit card details of its customers, although the information could be stolen at times when the encryption technology was switched off.

Additionally, some devices that were compromised by the malware maintained logs of completed credit card transactions. When the encryption technology was not enabled, details of completed transactions were stored in the logs and could therefore be read by the hackers. Since those logs included details of transactions prior to the malware infections, it is possible that customers who visited affected Forever 21 stores before to April 3, 2017 may also have had their credit card details obtained.

Each store uses many POS devices to take payments from customers, and in most cases only one device per store was infiltrated. The attackers focused their efforts on stores where POS devices did not have encryption turned on. Additionally, the hackers main aim appeared to be to find and infect devices that kept logs of transactions.

On the majority of POS devices, the hackers searched for track data read from payment cards, and in most instances, while the number, expiry date and CVV code was obtained, the name of the card holder was not.

The review into the Forever 21 POS malware attack is still active, and currently it is unclear exactly how many of the company’s 700+ stores have been impacted, how many devices were infected, and how many customers have had their credit and debit card details obtained. However, it is reasonable to expect that an attack of this duration will have impacted many thousands of customers.

The exact type of malware used in the attack is not known, and no reports have been issued that indicate how the hackers obtained access to its systems. It is not yet known if stores outside the US have been impacted.

Link copied to clipboard
Photo of author

Posted by

Elizabeth Hernandez

Elizabeth Hernandez is a news writer on Defensorum. Elizabeth is an experienced journalist who has worked on many publications for several years. Elizabeth writers about compliance and the related areas of IT security breaches. Elizabeth's has a focus data privacy and secure handling of personal information. Elizabeth has a postgraduate degree in journalism. Elizabeth Hernandez is the editor of HIPAAZone. https://twitter.com/ElizabethHzone