0
1
Forever 21 confirmed hackers breached payment system for 7 months, admitted encryption was turned off on some POS devices.
If you shopped in a brick-and-mortar Forever 21 store this year, your credit card information may have been compromised due to the company’s failure to turn on encryption in some of its point-of-sale terminals.
In mid-November, Forever 21 admitted that a third party “suggested” there might have been unauthorized access to payment card data. On December 28, the company revealed more details about the breach without actually saying how many customers were potentially affected or even which stores had the compromised POS devices.
For starters, the investigation into the security incident revealed that hackers had access to customers’ payment card data for up to seven months in 2017 – from April 3 to November 18. Attackers had obtained network access and installed malware meant to harvest credit card data. But the real mind-blower is that encryption was not even turned on in some of Forever 21’s POS devices.
Sure, the company said it implemented encryption technology in 2015; yet the “leading payment technology and security firms” investigating the unauthorized access determined the built-in encryption on some POS devices “was not always on.”
According to newest payment card security incident report, Forever 21 explained that, in addition to the lack of encryption in some of the retail stores’ POS devices, investigators hired in October “found signs of unauthorized network access and installation of malware on some POS devices designed to search for payment card data.”
The malware, Forever 21 said, “searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found.”
To read the original article:
https://www.csoonline.com/article/3245069/security/forever-21-hackers-breached-payment-system-for-7-months-no-encryption-on-pos-devices.html#tk.rss_all
