Forever 21 And The Importance Of Penetration Testing

Forever 21 And The Importance Of Penetration Testing 
| 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

When you’re in a store buying a new pair of pants or going back-to-school shopping with your kids, IT security might be the last thing on your mind. But the unfortunate reality of the 21st century is that credit card fraud and data breaches can happen anywhere you use your credit card, including in a store.

This is what happened with Forever 21. If you shopped at one of their more than 600 stores across North and South America at any point between April 3rd and November 18th, 2017, your data may have been compromised.

But what happened during this breach? What data was stolen? How did the hackers access this data? And what could Forever 21 have done differently to stop it?

Read on to find out.

What happened?

Forever 21 actually made an announcement back in November warning of a potential breach, which they said they discovered after receiving a third-party report, though they had received said information in October.

In that report, they discovered that while they had been using encryption on their POS devices since 2015, it wasn’t always turned on. As a result, the data they had was as vulnerable as if they hadn’t used encryption at all.

The report also found evidence that malware was installed on some of their POS devices. Some of this malware was only active for a few days, while others had been active for the entire time – some were even active when discovered.

Each Forever 21 store has a log of all completed credit card transactions, and when the encryption was off, the hackers could access all the information contained in that log.

Forever 21 has been working with their payment processor and IT security firms to fix these gaps in security, but meanwhile their customers are left at risk.

What Did The Hackers Take?

It’s difficult to say which stores were compromised, and which were not. At the time of this writing, Forever 21 has yet to release any data on that.

They did, however, have access to complete credit card data for a significant number of Forever 21’s customers. Because the stores log all their customer credit card information, the hackers only needed to install malware on a single terminal per store.

In some cases, though, Forever 21’s IT security investigation company found that the credit card data was incomplete – having a card number, expiration data, and internal verification code, but not the cardholder’s name. This was only sometimes though – the cardholder’s name leaker along with the data as well in multiple cases.

Notably, credit car purchases made online were not affected. While Forever 21’s POS systems work differently outside the US, the company is still investigating whether or not they were affected by the breach. Sorry, Canadians and Latin Americans, you’re not out of the woods yet.

Forever 21 And The Importance Of Penetration Testing 
| 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

What Did Forever 21 Do Wrong?

The multimillion dollar question.

First of all, let’s talk about what they did right. They acquired encryption for their POS systems. That’s a great first step. They clearly installed it, too.

But that wasn’t enough. If it was, they wouldn’t have suffered a data breach, and I’d be writing this article about something else.

Think about your home. Imagine you live in a multimillion dollar mansion with priceless artwork on your walls. Naturally, you’ll want to make sure it has the highest quality security system on it.

But what happens if the security system you purchase is so complex that you’re not sure if it’s actually locked? What do you do?

Hope for the best? Maybe, but if your home is on the line you might take it a little more seriously.

No, your best solution is to hire someone with a good understanding of your home’s security systems to test it for you and make sure it’s protecting you as best it can.

Penetration Testing

That’s exactly what penetration testing does.

A penetration testing team is essentially a team of hackers you hire to try and breach your defenses.

A penetration tester’s job is to stay up to date with the latest developments in the world of IT security, and hacking itself, but to use their powers for good instead of evil.

It may seem weird to hire someone to hack your systems, but when a penetration testing team does it, it’s not for the same reason the bad guys are doing it. We find gaps in your security systems and tell you about them, so you can be prepared for when the bad guys actually do show up.

Had Forever 21 contracted a third-party penetration testing team to test their new encryption systems for the POS terminals, this entire situation could have been avoided.

Contact 1st Secure IT

Have you recently acquired a new encryption layer for your POS systems? Implemented a new suite of security software? Are you wondering whether your current IT security systems are up to snuff?

Contact 1st Secure IT today.

We can run a penetration test on your systems, discover any potential weaknesses, and report back to you with concrete solutions on how you can improve your security and mitigate the risk of a data breach or other cyber attack.

Don’t wait until you’re in a situation like Forever 21 is now. Contact 1st Secure IT today, and take your first step toward a safer, securer business.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

Is Your Cloud Storage As Secure As It Should Be?
How Bitcoin Is Changing The World Of IT Security


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 19 August 2019

If you need help getting started... Contact Us!