Hackers breached "various point of sales terminals" at retailer Forever 21's storefronts throughout the US, collecting "credit card numbers, expiration dates, verification codes and sometimes cardholder names" from April 3 to November 18, 2017, CNET reported.
In a notification to customers, Forever 21 said that "We regret this incident occurred and any concern this may have caused you." It explained that when encryption was turned off on a system that logged payment card details from transactions, malware installed on its point of sales systems was able to transmit that data to the hackers.
The company originally disclosed a notice of possible "unauthorised access to data from payment cards that were used at certain Forever 21 stores" in November, though it did not provide specific details about the attack.
There have been so many major breaches of consumer data in recent years that it's hard to keep track. But some of the highest-profile incidents this year included an intrusion into credit-rating firm Equifax's database (losing info on over 145 million people), Yahoo's late admission that all three billion accounts on the network in 2013 were compromised and Uber's bribery of hackers that stole 57 million customers' personal data.
Cybercriminals sometimes market stolen credit card information on deep web forums hidden from less technically inclined web users. Cards which are identified as valid are then used to purchase expensive items like travel packages or gift cards. Tracking down the criminals often isn't the most difficult part, but rather prosecuting them across national borders.
"It's somewhat common to identify them," assistant US attorney for the Western District of Washington Norman Barbosa told CNN Money. "It's a little more more difficult to prosecute them. Much of the investigations in computer crimes are focused on trying to pull back layers to find out who is behind the criminal activity."