Forever 21 Inc. has found a computer data breach that compromised customer data sporadically over an eight-month period.
Following a two-month investigation, the Los Angeles clothing retailer confirmed the breach through malware installed on point-of-sale devices at some of its U.S. stores. In most cases, the malware was only able to find data from cards that did not have the cardholder’s name to go along with the card number, verification code and expiration date. But in some cases, the cardholder’s name was also stolen.
The investigation found that the malware invasions resulted when point-of-sale devices at some U.S stores were turned off from April 3 to Nov 18.
Forever 21 stores each have multiple POS devices, the company said, adding that “in most instances only one or a few of the POS devices were involved.” Some stores have a device that saves a log of completed authorizations for card transaction. Malware was found on these log devices, Forever 21 added.
The retailer has been working with payment processors, its POS device provider, and third-party advisors to correct the issue in all Forever 21 stores, the company said, Payments made on the company’s e-commerce site were not affected, the statement said.
“Because the investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation,” said the company in a statement. “Forever 21 expects to provide an additional notice as it gets further clarity on the specific stores and timeframes that may have been involved.”
The company said if customers see authorized charges from Forever 21, they should notify their banks immediately.
Forever 21 operates more than 815 stores in 57 countries.