If you shopped at a Forever 21 store this year, there’s a chance your credit card information may have been stolen, CNET reports. The retail store confirmed this week that between April 3rd and November 18th of this year, a number of point of sale terminals at stores across the US were breached. While it hasn’t provided any numbers on how many customers were affected, Forever 21 did say that in most cases, card numbers, expiration dates and verification codes, but not cardholder names, were obtained by hackers. However, in some cases names were also obtained. Encryption is usually used by the store to protect its payment processing system, but in some stores, the encryption was sometimes off, opening up their point of sale terminals to malware. Not every terminal in every affected store was infected with the malware and not every store was impacted during the full time period of the breach. In some cases, credit card data stored in certain system logs prior to April 3rd were also exposed. Forever 21 said payment processing systems outside of the US work differently but that it was investigating whether non-US stores were affected as well. Purchases made through its website weren’t impacted by the breach. Chipotle and GameStop suffered similar breaches this year while hotel giant HEI announced it was hit with the same type of data breach last year . In a statement , Forever 21 said, “In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures. We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement’s investigation of this incident.” Via: CNET Source: Forever 21
Read More:
Forever 21 breach exposed customer credit card info for months
Long-time Slashdot reader t0qer writes: I’m the IT director at a medical marijuana dispensary. Last week the point of sales system we were using was hacked… What scares me about this breach is, I have about 30, 000 patients in my database alone. If this company has 1, 000 more customers like me, even half of that is still 15 million people on a list of people that “Smoke pot”… ” No patient, consumer, or client data was ever extracted or viewed, ” the company’s data directory has said. “The forensic analysis proves that. The data was encrypted — so it couldn’t have been viewed — and it was never extracted, so nobody has it and could attempt decryption.” They’re saying it was a “targeted” attack meant to corrupt the data rather than retrieve it, and they’re “reconstructing historical data” from backups, though their web site adds that their backup sites were also targeted. “In response to this attack, all client sites have been migrated to a new, more secure environment, ” the company’s CEO announced on YouTube Saturday, adding that “Keeping our client’s data secure has always been our top priority.” Last week one industry publication had reported that the outage “has sent 1, 000 marijuana retailers in 23 states scrambling to handle everything from sales and inventory management to regulatory compliance issues.” Read more of this story at Slashdot. 
Joseph Cox, reporting for Motherboard: In January, Motherboard reported on the FBI’s “unprecedented” hacking operation, in which the agency, using a single warrant, deployed malware to over one thousand alleged visitors of a dark web child pornography site. Now, it has emerged that the campaign was actually several orders of magnitude larger. In all, the FBI obtained over 8, 000 IP addresses, and hacked computers in 120 different countries, according to a transcript from a recent evidentiary hearing in a related case. The figures illustrate the largest ever known law enforcement hacking campaign to date, and starkly demonstrate what the future of policing crime on the dark web may look like. This news comes as the US is preparing to usher in changes that would allow magistrate judges to authorize the mass hacking of computers, wherever in the world they may be located. Read more of this story at Slashdot. 