X

Forever 21: Yes, hackers breached our payment system

The clothing retailer says a breach of its systems let hackers steal some customer credit card data throughout much of 2017.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
2 min read
A crowd of people gather outside the Forever 21 store in Times Square in New York City in 2017. The retailer said Thursday hackers infiltrated some point of sales machines at its stores throughout the country.

The Forever 21 store in Times Square in New York City in 2017. The retailer said Thursday hackers infiltrated some point of sales machines at its stores throughout the country.

Getty Images

That cute wardrobe update you bought this year might have let hackers into your wallet.

A breach at Forever 21 left customer payment card information exposed to hackers, the retailer confirmed Thursday. The company didn't specify how many customers had information stolen, but said various point of sales terminals were affected between April 3 and November 18, 2017. Hackers collected credit card numbers, expiration dates, verification codes and sometimes cardholder names.

"We regret this incident occurred and any concern this may have caused you," the company said in its notification

In its notification to customers, Forever 21 said hackers installed malicious software on some point of sales terminals in stores throughout the country. It's an update to a November 14 announcement saying the company may have been targeted by hackers. The breach is another example of how cybercriminals are targeting major retailers by hacking the systems that process your credit and debit cards, despite companies' efforts to make that harder to do. Fast food chain Chipotle was hit by a similar hack in 2017, as was video game retailer GameStop.

Companies have technologies in place to foil hackers, but they don't always work. Forever 21 said its point of sales terminals, which cashiers use to swipe customers' cards, are supposed to be encrypted. That means anyone intercepting the information would be unable to read it. But sometimes, that encryption was turned off, Forever 21 said in its notification.

The result: hackers who'd infected the machines with their tools could collect credit card numbers, expiration dates and internal verification codes. At times, they could also collect the customer's name, Forever 21 said in its notification.

There's an ongoing law enforcement investigation into the hack, the company said in its update.

It's Complicated: This is dating in the age of apps. Having fun yet?

Tech EnabledCNET chronicles tech's role in providing new kinds of accessibility.