Malware and signs of unauthorised network access have been found on some point of sale devices in Forever 21’s US stores, the retailer has revealed.
The young fashion store launched an investigation in October after receiving a “third party” report in October suggesting that there may have been unauthorised access to data from payment cards used at certain Forever 21 locations.
It determined that encryption technology on some devices was not always on, and the retailer is looking into whether non-US stores have been affected.
The retailer said that while in “most instances” the malware did not obtain cardholders’ names, only card numbers, expiration dates and internal verification codes, “occasionally the cardholder name was found”.
In some stores this happened for a few days or several weeks between 3 April 2017 and 18 November 2017, while for others this occurred for most or all of this time frame.
The retailer said in a statement: “Forever 21 has been working with its payment processors, POS device provider, and third party experts to address the operation of encryption on the POS devices in all Forever 21 stores.
“Forever 21 stores outside of the US have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved. Payment cards used on Forever 21’s website, www.forever21.com, were not affected.”