Forever 21 has revealed that between March and October this year, hackers gained unauthorised access to several of its unencrypted payment card systems and possibly stole payment card information belonging to customers.
Forever 21 has launched an investigation into the data breach which occurred because the affected payment card systems weren't encrypted.
Global fashion retailer Forever 21, which enjoys an annual turnover in excess of $4 billion, has said that it was recently made aware about the said data breach by a third party and that the investigation will reveal the true extent of the breach.
The retailer did not mention the names of the stores that were breached by hackers who exploited a lack of encryption in the same. Considering that the investigation is presently on-going, we cannot confirm if any of the brand's stores in the UK were affected.
The data breach takes place at a time when hackers are increasingly targeting unsecured point-of-sale systems at major retail outlets and supermarkets to gain access to credit card details of customers. In September, Whole Foods Market, which was recently acquired by Amazon for $13.7 billion, confirmed that payment card information of its customers was subjected to unauthorised access at certain taprooms and full table-service restaurants.
Between March and July this year, hackers were also able to access payment card information for customers at several Hyatt hotels located in China, Brazil, the United States, India, Japan, Malaysia and several other countries. Details accessed by the hackers included cardholder names, card numbers, verification codes and expiration dates, which are enough for malicious hackers to perform financial transactions online.
In such a scenario, it is worth questioning why major brands, including Forever 21, fail to secure their payment card systems with encryption. The recent Verizon 2017 Payment Security Report has revealed that as many as 44.6% of organisations fail to comply with the security standards laid out by the Payment Cards Industry in 2016.
Verizon added that of all the payment card data breaches that it investigated between 2010 and 2016, none of them was fully PCI DSS compliant at the time of the breach. However, full compliance with PCI DSS standards has progressed over the years, with the percentage of compliant firms going up from 11.1% in 2012 to 55.4% in 2016.
Despite the progress, Verizon found that companies that failed interim audit assessments in 2016 had an average of 13% controls not in place. Such lack of control translated to 5.8% for all companies, thus confirming that almost every enterprise is vulnerable to a greater or lesser degree.
'It’s an unfortunate reality of today’s sensitive security environment, but ensuring that traffic carrying sensitive data is encrypted is absolutely essential, particularly when it’s customer financial information. The next step should be making sure encryption is implemented across the entire organisation and, crucially, that once this is done IT retains control and visibility over all of the machine identities that are in use,' says Craig Stewart, VP EMEA at Venafi.
'Anything less is just re-arranging deck-chairs on the Titanic as hackers will just shift their focus and attack through encrypted traffic instead. The good news is that many of these problems can be solved by automation, ensuring that no store is ever left without secure encryption again,' he adds.