Forever 21
by Stephen Garner
Forever 21
Photo by Josh Brasted / Getty Images

Fast-fashion retailer Forever 21, Inc. has released additional information about the payment card security incident that it first reported on November 14, 2017.

An investigation into the incident found that its point-of-sale (POS) encryption was off and malware was installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017.  In some stores, this scenario occurred for only a few days or several weeks, and in some stores, this scenario occurred for most or all of the timeframe. Each Forever 21 store has multiple POS devices, and in most instances, only one or a few of the POS devices were involved.

Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorizations. When encryption was off, payment card data was being stored in this log. In a group of stores that were involved in this incident, malware was installed on the log devices that was capable of finding payment card data from the logs, so if encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.

Forever 21 has been working with its payment processors, POS device provider, and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores. Forever 21 stores outside of the U.S. have different payment processing systems, and its investigation is ongoing to determine if any of these stores are involved. Payment cards used on Forever 21’s website,, were not affected.

Khaled Forever 21In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures. The retailer also said that it will continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident.

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card.

If customers have questions, they can visit or call 1-855-560-4992.