Retailer Forever 21 has confirmed a payment card data breach it first raised as a possibility in mid-November.
The company said it received a report from a third party in mid-October suggesting there could have been unauthorized access to payment card data at certain stores. The investigation revealed that encryption technology, installed on point-of-sale (POS) devices in 2015, was not always activated at some stores.
Investigators then discovered signs of unauthorized network access and installation of malware on some POS devices. The malware searched for payment card data as it moved through the POS device.
No consistent pattern
Complicating the investigation is the fact that the encryption was not turned off in all stores; it was off for only a few days to several weeks in some stores; and it was off most of the time in other stores.
"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved," the company said in a statement. In nearly all cases, potentially compromised transactions occurred between March and October 2017.
Mark Cline, a vice president at Netsurion, a provider of managed security services for multi-location businesses, says there are important lessons to learn here for both consumers and retailers.
“With its endless POS endpoints, the retail industry has always been a desirable target for cybercriminals," he told ConsumerAffairs. "They know that if they can introduce malware into POS networks, they can make a decent amount of cash by selling credit card numbers on the dark web. With their millions of customers, large retailers, like Forever 21, have typically been the hardest hit."
The costs for companies can be enormous. Cline says a retailer pays on average $172 per stolen record in "clean-up costs."
The challenge for retailers is to stay ahead of the hackers. Cline suggests companies first run a vulnerability scan on their internal networks and then update all operating system and software upgrades and patches immediately.
The cost for consumers is mostly in convenience. If promptly reported, consumer liability for fraudulent use of a credit card is limited to $50, and in many cases there is no loss.
If debit card information is stolen, risks may be greater. Policies protecting consumers in these cases tend to vary bank to bank. Needless to say, a thief with a consumer's complete debit card information could clean out the account very quickly.
Consumers using a payment card at a POS terminal are safer paying with a credit card than a debit card. Paying with cash is safer still.
Forever 21 operates more than 815 stores in 57 countries with retailers in the United States and overseas. The company did not provide the number of its stores that may have been affected by the data breach.