Forever 21 is investigating a report it received from a third party that payment cards used in some of its stores in recent months may have been subject to unauthorized access, according to a company press release.
Though the retailer has used encryption and tokenization services on point-of-sale devices since 2015, the company said that the unauthorized access appears to have occurred only on "certain" devices at times when the encryption on those devices was not operating, per the release.
The company's investigation is focused on card transactions in Forever 21 stores from March to October of this year. Because the investigation is continuing, the company said complete findings are not available, and it is too early to provide further details on the investigation.
There's no good time to report a data breach, but doing so just days before the holiday shopping season kicks into high gear is a special kind of unfortunate timing. Depending on how bad the breach is, consumers could lose trust and confidence in the brand and plan their holiday shopping at other retailers rather than risking their financial information with Forever 21. Not only will it be tough to win back affected customers, but there isn't an easy way to win back those sales either. Holiday shoppers are already wary of making purchases online due to cyberthreats and 66% of those shoppers wouldn't return to a store where their data was compromised.
Following Forever 21's admission of the incident, Paul Martini, CEO and co-founder of security gateway firm iBoss, said in an e-mail exchange with Retail Dive, "Retail stores are always a prime target for hackers, but this time of the year there is a gigantic bull's eye on their back, and it only takes one vulnerable device hidden among thousands to put your payment card details at risk."
At this point, Forever 21 can do nothing but react to what has happened. On that front, the fast fashion retailer said it has engaged a leading security and forensics firm to assist with the investigation, and that it will provide additional details when it becomes more clear which specific stores and timeframes may have been involved.
For now, however, it appears that there are precious little details available — no information about how many stores and POS systems were involved, no details about how many customers were affected, and perhaps most curiously, no details on why encryption and tokenization capabilities were "not operating" when this incident occurred. Those capabilities are an important component of a retailer's security measures, considering that they offer the extra layers of transaction security above and beyond what something like EMV can offer, with regards to protecting an entire transaction and the communication of that transaction over a network.
Beyond these lingering questions, this incident is a reminder that retailers need to remain constantly watchful and work closely with partners such as POS system vendors to assess ongoing threats and potential weaknesses in their devices, especially during the holidays, when these kinds of attacks are more likely.
As Fred Kneip, CEO of cyber risk management exchange CyberGRX, said in a note e-mailed to Retail Dive, retailers need to perform regular risk assessments to avoid situations like this in the future.
"Breaches stemming from attacks on third parties such as point-of-sale vendors are an epidemic in the retail industry. Digital ecosystems have become increasingly interconnected, and downstream vulnerabilities from a vendor or partner can cause real damage," Kneip noted. "By performing proper risk assessments on their POS system providers — or any third party in their digital ecosystem — merchants can uncover weak security controls and work with the vendor to remediate these issues before vulnerabilities are exploited."