上周四，服装零售巨头Forever 21宣布公司旗下店铺遭受黑客袭击，消费者银行支付卡信息可能遭遇泄露。据了解，本次遭受攻击的只是POS机端的支付行为和信息，Forever 21官网消费行为并未受到影响。
Forever 21在全球57个国家开设了815家店铺，其中包括英国、美国、澳大利亚、中国、印度、德国、日本和拉丁美洲多国。该公司并未对外透露受影响的具体消费者数量，仅承认这起泄露时间应该是从2017年4月3日到11月18日。据了解，Forever 21已建议消费者对自己的支付信息进行检查确认，同时Forever 21正与其支付处理平台、PoS机提供商和第三方安全专家一起携手解决这一事件，并承诺会在调查之后追究相关责任人法律责任。
Fashion retailer Forever 21 has confirmed that customers' payment card information may have been stolen over seven months this year after its point-of-sale terminals in numerous stores across the US were breached by hackers.
In an updated notification to customers, the company recently said hackers managed to install malicious software on some PoS devices at some of its stores at varying times between 3 April and 18 November.
Although Forever 21 noted that its payment processing system has been using encryption technology since 2015, an investigation found that the encryption on some PoS devices "was not always on", thereby leaving them vulnerable to hackers.
Forever 21 did not specify how many stores were affected in the attack and only said that not all terminals in every affected store were infected with malware. The company has over 815 stores in 57 countries including the US, UK, Australia, China, India, Germany, Japan and Latin America.
"Each Forever 21 store has multiple POS devices, and in most instances only one or a few of the POS devices were involved," the company said. "Additionally, Forever 21 stores have a device that keeps a log of completed payment card transaction authorisations. When encryption was off, payment card data was being stored in this log."
The company said malware was also installed on these log devices in some affected stores to steal customers' payment card data. "If encryption was off on a POS device prior to April 3, 2017 and that data was still present in the log file at one of these stores, the malware could have found that data.
"The malware searched only for track data read from a payment card as it was being routed through the POS device," the firm added. "In most instances, the malware only found track data that did not have cardholder name – only card number, expiration date, and internal verification code – but occasionally the cardholder name was found."
Forever 21 is currently working with its payment processors, PoS device provider and third-party security experts to address encryption issues in all of its stores. The company said it is working with law enforcement in its investigation of the attack.
The news caps off the litany of cyberattacks targeting retail giants and restaurants this year including Chipotle, GameStop, Whole Foods and Kmart among others.
"Forever 21 stores outside of the US have different payment processing systems, and our investigation is ongoing to determine if any of these stores are involved," the company said, noting that payment cards used on Forever 21's website were not affected in the breach.
"We regret this incident occurred and any concern this may have caused you," the firm said.
Customers have been advised to review their payment card statements for any suspicious unauthorised activity. IBTimes UK has reached out to Forever 21 for comment.