Over a period of seven months in 2018, Forever 21 experienced a significant cybersecurity incident when attackers accessed payment card data from an undisclosed number of customers. The attackers managed to penetrate the network and deploy malware designed to harvest credit card information straight from the retailer's point-of-sale (POS) system. A critical security lapse was identified as some of Forever 21's POS devices were not encrypted, which likely facilitated the breach. The exact number of impacted customers remains unclear, even years after the incident. Forever 21 faced a class-action lawsuit as a result of this breach and agreed to settle by compensating for the 'valid out-of-pocket expenses and charges that were incurred and plausibly arose' due to the breach. However, the total financial impact of this compensation has not been disclosed, leaving the full extent of the damage somewhat opaque.
Source: https://arcticwolf.com/resources/blog/10-major-retail-industry-cyber-attacks/
TPRM report: https://scoringcyber.rankiteo.com/company/forever-21
"id": "for1001050624",
"linkid": "forever-21",
"type": "Breach",
"date": "05/2023",
"severity": "75",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Fashion Retail',
'name': 'Forever 21',
'type': 'Retailer'}],
'attack_vector': 'Malware',
'data_breach': {'data_encryption': 'None',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Payment card data'},
'description': 'Over a period of seven months in 2018, Forever 21 experienced '
'a significant cybersecurity incident when attackers accessed '
'payment card data from an undisclosed number of customers. '
'The attackers managed to penetrate the network and deploy '
'malware designed to harvest credit card information straight '
"from the retailer's point-of-sale (POS) system. A critical "
"security lapse was identified as some of Forever 21's POS "
'devices were not encrypted, which likely facilitated the '
'breach. The exact number of impacted customers remains '
'unclear, even years after the incident. Forever 21 faced a '
'class-action lawsuit as a result of this breach and agreed to '
"settle by compensating for the 'valid out-of-pocket expenses "
"and charges that were incurred and plausibly arose' due to "
'the breach. However, the total financial impact of this '
'compensation has not been disclosed, leaving the full extent '
'of the damage somewhat opaque.',
'impact': {'data_compromised': 'Payment card data',
'legal_liabilities': 'Class-action lawsuit',
'payment_information_risk': 'High',
'systems_affected': 'POS system'},
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': 'Unencrypted POS devices'},
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit'},
'title': 'Forever 21 Data Breach',
'type': 'Data Breach',
'vulnerability_exploited': 'Unencrypted POS devices'}