Fashion retailer Forever 21 has confirmed that customers' payment card information may have been stolen over seven months this year after its point-of-sale terminals in numerous stores across the US were breached by hackers.
In an updated notification to customers, the company recently said hackers managed to install malicious software on some PoS devices at some of its stores at varying times between 3 April and 18 November.
Although Forever 21 noted that its payment processing system has been using encryption technology since 2015, an investigation found that the encryption on some PoS devices "was not always on", thereby leaving them vulnerable to hackers.
Forever 21 did not specify how many stores were affected in the attack and only said that not all terminals in every affected store were infected with malware. The company has over 815 stores in 57 countries including the US, UK, Australia, China, India, Germany, Japan and Latin America.
"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved," the company said. "Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorisations. When encryption was off, payment card data was being stored in this log."
The company said malware was also installed on these log devices in some affected stores to steal customers' payment card data. "If encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.
"The malware searched only for track data read from a payment card as it was being routed through the POS device," the firm added. "In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found."
Forever 21 is currently working with its payment processors, PoS device provider and third-party security experts to address encryption issues in all of its stores. The company said it is working with law enforcement in its investigation of the attack.
"Forever 21 stores outside of the US have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved," the company said, noting that payment cards used on Forever 21's website were not affected in the breach.
"We regret this incident occurred and any concern this may have caused you," the firm said.
Customers have been advised to review their payment card statements for any suspicious unauthorised activity. IBTimes UK has reached out to Forever 21 for comment.