Forever 21 breach: Hackers target unencrypted POS systems

Global fashion retailer Forever 21 has revealed that earlier this year hackers gained access to several of its unencrypted payment card systems and potentially stole payment information belonging to customers.

In a press release, Forever 21 said:

“Forever 21 is notifying its customers that it recently received a report from a third party that suggested there may have been unauthorized access to data from payment cards that were used at certain Forever 21 stores. Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist.”


The company, which operates more than 815 stores in 57 countries, said that only certain point-of-sale (POS) devices in some stores had been affected by the breach. However, it failed to mention which stores were breached.

Forever 21 has advised customers to closely monitor their payment card statements: “If customers see an unauthorized charge, they should immediately notify the bank that issued the card.”

POS system breaches are an increasing threat

This is not the first time a large chain has been targeted by hackers this year. Here are just a few of the POS breaches we have reported on in 2017:

Keep up to date with the latest hacks and breaches by subscribing to our Daily Sentinel newsletter.

A preventable breach

The breach could have been prevented if all of Forever 21’s POS systems had been encrypted. As a merchant, the retailer should have been fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

Encrypting transmission of cardholder data across open, public networks is a key compliance requirement of the PCI DSS.

The PCI DSS aims to increase payment card security and applies to all organizations worldwide that transmit, process, or store payment data.

However, despite the prospect of fines and penalties, many merchants are not fully compliant.

Protecting your POS system

If your organization’s POS system is not protected properly, you could become an easy target for hackers.

It is therefore increasingly important for organizations to implement effective measures to control external threats.

Documenting policies and procedures on these topics shows your commitment to protecting sensitive information, and it’s also a key requirement for PCI compliance.

Compiling these policies can be a time-consuming and challenging task.

The PCI DSS Documentation Toolkit provides you with all the policies, procedures, and instructions you need to achieve compliance with the Standard. The toolkit includes:

  • A complete set of easy-to-use, customizable, and fully PCI-compliant documentation templates, including:
    • PCI DSS Charter
    • PCI DSS Compliance Program
    • Operational Security Policy Statement
    • Cryptographic Key Management
    • Cardholder Data Policy Statement
  • Helpful gap analysis and project tools to ensure complete coverage of the Standard
  • Guidance documents
  • PCI DSS staff awareness training

Take a free trial of the toolkit to view a full list of the documents and try them out.

View sample PCI DSS policies and procedures >>