Forever 21's follow-up investigation of a data breach discovered in November has confirmed that malware was installed on some point-of-sale devices, and that some amount of personal payment card data was compromised, according to a statement posted on the retailer's web site.
The statement read, in part: "The malware searched only for track data read from a payment card as it was being routed through the POS device. In most instances, the malware only found track data that did not have cardholder name — only card number, expiration date, and internal verification code – but occasionally the cardholder name was found."
The retailer did not specify the number of stores or POS devices that were affected during the seven-month period during which the breach was ongoing, but added that the breach and malware installation occurred at stores where the POS device encryption was turned off for some period of time — a few days or weeks in the case of some stores, the entire seven-month timeframe in the case of others.
The statement issued by Forever 21 more or less confirmed what little we already knew about the data breach that the company revealed back in November — that some customer payment card data was likely shared with whatever party planted the malware.
Beyond that, Forever 21 either still doesn't know or still isn't sharing a lot of details. For one thing, it's not clear how many stores or devices were infected with the malware, nor how many customers were affected. While the breach could have been worse — not all card data was shared in every case where track data was compromised — without knowing more about how many cards were affected, it's hard to put that in perspective.
The state of affairs that led to the malware being installed still seems rather murky. There hasn't been a clear reason given for why the encryption was turned off for apparently varying amounts of time at some stores, who was at fault for letting this happen, or whether or not it was intentional.
Forever 21's issuing of a follow-up statement is interesting in itself, though, as many retailers aren't willing to do that. Companies tend to admit a breach only when information from third parties has forced them to do so, usually issuing vague but well-meaning statements, and unless the breach was particularly huge, we don't often hear of it again. That could actually work in Forever 21's favor — millennials, in particular, prefer to buy from brands they feel they can trust, with 47% expressing a desire for brands to take ownership of their mistakes and take the consumer’s feedback into account.
The discovery of the data breach was tough timing for Forever 21, coming right before the holiday shopping season kicked in, but it's not clear yet how much the breach has affected Forever's 21's bottom line in the most recent quarter, and despite the update in the investigation, there is much more to learn about the incident.