Forever 21 investigation finds malware, unencrypted data

Security analysts are criticizing Forever 21 Inc. for failing to protect cardholder data from hackers. On Nov. 14, 2017, the retailer disclosed its POS systems had been compromised, but it attempted to downplay the damages. Forensic investigators found anomalous activities had occurred between April and November 2017, but company representatives said it has been using encryption and tokenization since 2015, so a full-scale attack was unlikely to have occurred.

"Encryption only protects data when it's implemented correctly," stated Marc Punzirudu, Director of Security Consulting Services at ControlScan Inc., a managed security and compliance solutions company. "While we don't know what caused the breach at this stage, Forever 21's public statement indicates that encryption was in place but not functioning in all cases, which tells me it wasn't properly and consistently implemented across the organization's chain of stores."

Invoking the security industry's mantra, "trust but verify," Punzirudu said testing is the best way to evaluate a security solution's effectiveness. "There are many products and methods used to protect cardholder data, and it is important that businesses are not lulled into a false sense of security when using any one of them," he said. "You will never know for sure until you test it in an operational setting."

Malware, unencrypted logs

On Jan. 2, 2018, the company shared highlights from the requisite investigation into the intrusion and confirmed encryption technology had not always been active in all devices. Investigators found signs of unauthorized network access and malware designed to search for payment card data on infected devices.

"The malware searched only for track data read from a payment card as it was being routed through the POS device," the company stated. "In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found."

Investigators traced malicious activities, of varying durations, that occurred between April 3, 2017 and Nov. 18, 2017. Criminals had mined data from infected devices for days, weeks and months, according to the statement. They may have also found payment card data stored in the clear on store logs, "so if encryption was off on a POS device prior to April 3, 2017, and that data was still present in the log file at one of these stores, the malware could have found that data," company representatives stated.

Next steps

Forever 21 stated it is working with its payment processors, device manufacturers and third-party experts to ensure that encryption is fully implemented across the enterprise. "Forever 21 stores outside of the U.S. have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved," company representatives added.

Protecting cardholder data and protecting your business are two very different things, although they often overlap," Punzirudu noted. "Regardless, both are ongoing processes that involve non-stop diligence," he added. "Businesses must take security seriously all the time, because cybercriminals are operating 24/7/365."

It is critical to remain diligent in implementing security controls and to not be distracted by buzzwords such as "PCI DSS scope reduction," Punzirudu said. "Businesses must have a plan in place to internally audit controls that are used to protect cardholder data, as well as a method for regularly analyzing access to environments which may contain cardholder data."

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.