Forever21 Confirms POS Encryption Turned Off in Certain Stores Allowing Hackers to Install Malware


The Public was first notified back in November of the popular retailers data breach incident. Since then Forever 21 has now confirmed that hackers stole credit card information from its stores throughout the country for several months during 2017. 

Although the company did not yet specify the total number of its customers affected by the breach, it did confirm that malware was installed on some point of sale (POS) systems in stores across the U.S. at varying times between April 3, 2017, and November 18, 2017.

According to the company's investigation, which is still happening, the malware was designed to search for and likely steal sensitive customer credit card data, including credit card numbers, expiration dates, verification codes and, in some cases, cardholder names.

Forever 21 has been using encryption technology since 2015 to protect its payment processing systems, but during the investigation, the company found that some POS terminals at certain stores had their encryption switched off, which allowed hackers to install the malware.

However, according to the company, not every POS terminal in affected stores was infected with the malware and not every store was impacted during the full-time period (roughly 8 months) of the breach.

Consequently, in some cases, payment card data stored in certain system logs before April 3rd were also exposed in the breach.

Forever21 Statement

"Each Forever 21 store has multiple POS devices, and in most instances, only one or a few of the POS devices were involved. Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations," the company said while explaining the incident. 
"When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data."

The company also assured its online customers that payment cards used on its website ( were not affected by the breach.


-Allyson White, CEO Alde Security Solutions, LLC.