Forever 21: We Forgot to Turn on Encryption & Your Credit Card Data Is Stolen – But, Keep Shopping?


Shopped at Forever 21? Your credit card information might have been stolen. The clothing store has revealed that the company suffered a data breach that has resulted in the theft of customers' payment information.

In November, we reported that the clothing retailer was informed of an unauthorized breach by a third party. It had hired investigators and a "leading security and forensics firm" to look into the breach and the potential victim list. The company has now released the details of this investigation, confirming the data breach and the theft of payment information, including customers' card number, expiration date, and internal verification code.

AMD CPU Vulnerability Found, Divulges Passwords As Non-Administrative User

In its statement, the company said that while it had adopted encryption in 2015, the latest investigation revealed that "the encryption technology on some point-of-sale (POS) devices at some stores was not always on". The company added that the investigation confirmed signs of malware that was designed to steal payment card details.

The investigation also found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data. The malware searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.

Forever 21 gave hackers access to its systems for over half of 2017

Forever 21 has said that if you shopped between April 3, 2017 to November 18, 2017, your data could be potentially at risk. Not all consumers during this time were affected as the attack "occurred for only a few days or several weeks, and in some stores this scenario occurred for most or all of the timeframe".

If you shopped before April 3, your data could still be at risk since the retailer apparently keeps a log of completed payment card transaction authorizations. "When encryption was off, payment card data was being stored in this log," the company said. "In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data."

So far it remains unclear if any stores outside of the United States are affected. Forever 21 has advised its shoppers to review their bank statements for any unauthorized activity and contact their card issuer since Forever 21 that put user data at risk won't take any responsibility. When talking to Wccftech in November, Mark Cline, VP at Netsurion, a managed security services firm, had said that "companies must pay up to $172 per stolen record in clean-up costs". Right now, it doesn't appear like Forever 21 is going to pay anything.

The clothing retailer has also advised affected users to get a credit report from credit reporting agencies, including Equifax - the biggest disaster of 2017. Maybe the easiest way is to go back to cash payments? Happy new year to you too...

You can contact the company at 1-855-560-4992 Monday through Friday between 8am to 6pm PST.