Cyber Incident Victim: Forever 21
Date:
Mar 2017
Location:
United States of America
Summary
A fashion retailer experienced unauthorized access to payment card data at certain store locations due to compromised point-of-sale devices where encryption was inactive. The breach occurred over several months and was discovered following a third-party notification, prompting an investigation that remained ongoing with incomplete findings disclosed. The incident impacted transactions at an unspecified subset of the company's global network of over 800 stores across 57 countries.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Forever 21 disclosed a payment card security breach on November 14, 2017, following unauthorized access to data from cards used at some of its retail locations. The company initiated an investigation after receiving a third-party report indicating potential unauthorized activity, though the specific nature of this report was not detailed. The forensic review focused on transactions processed between March and October 2017 across its global store network. Forever 21 confirmed that the breach stemmed from compromised point-of-sale (POS) devices where encryption security measures were not operational at the time of the incidents. The retailer emphasized that only specific POS terminals in select stores were impacted, though it did not identify the affected locations or quantify the number of compromised devices. With over 815 stores operating in 57 countries, the breach potentially exposed payment card details from customers in multiple regions, though the company provided no geographic specifics. The investigation remained ongoing at the time of disclosure, preventing Forever 21 from releasing comprehensive findings about the attack's origin or full scope.
The breach timeline suggests attackers intermittently targeted vulnerable POS systems over at least seven months before detection. Forever 21's public statement confirmed the intrusion was confined to stores where encryption failures occurred on payment processing devices, but did not specify whether malware, network intrusions, or physical tampering caused the compromise. No customer names, addresses, or other personally identifiable information were confirmed as exposed, limiting the known impact to payment card data from in-store transactions. The company's response included launching the investigation and issuing a public disclosure, though it provided no details about customer notifications, complimentary credit monitoring, or coordination with law enforcement. The absence of store location disclosures left customers unable to self-determine exposure risk based on purchase history. Forever 21's operational scale as a global fast-fashion retailer indicated significant potential exposure, but the lack of confirmed victim numbers or financial impact metrics prevented quantification of the breach's severity beyond the technical compromise parameters described.