It seems Equifax isn’t the only company that’s accidentally exposed sensitive customer information this year. Popular clothing retailer Forever 21 had its credit card op payment system compromised at retail locations throughout the country for several months during 2017.
After hiring “leading payment technology and security firms” to assist with their investigation into the issue, the company discovered that some POS systems at certain Forever 21 store locations had their built-in encryption mechanisms switched off, which allowed malware to be installed. This malware in turn allowed hackers to search for and likely obtain sensitive customer credit card data.
“In most instances, the malware only found track data that did not have a cardholder name,” Forever 21’s official customer notice reads. “But occasionally the cardholder name was found.”
These hacks reportedly took place at “varying times” between April 3rd and November 18th, 2017, leaving the company’s customer base vulnerable for roughly 8 months – though it’s possible that at certain Forever 21 locations credit card data stored in system logs prior to April 3rd could also have been exposed.
The company has made it clear that the length of time each affected POS system was vulnerable varies greatly from store to store. “In some stores, this scenario occurred for only a few days or several weeks,” Forever 21 said in a statement. “and in some stores this scenario occurred for most or all of the timeframe.”
Forever 21 has not yet released any specific information regarding how they plan to prevent these issues from happening in the future, though they have promised to “[continue working with] security firms to enhance [their] security measures.” That said, the company has advised their customers to obtain copies of their credit reports and consider placing a fraud alert on their credit files if they have reason to believe they may have been affected by this data breach.
This isn’t the first time a major retailer has been hit by a cyberattack. GameStop and Chipotle were both the targets of similar attacks during April and May, 2017 respectively.