Raysonho | Wikimedia Commons

Forever 21 has revealed that a data breach discovered in November has resulted in the theft of credit card information belonging to customers.

The US clothing retailer said previously that a potential data breach was the subject of an investigation into its outlets after a third-party supplier tipped the company off to the potential lapse in security.

Forever 21 hired an external cyberforensics firm to investigate the problem, and while back then it was “too early” to provide any concrete details, the company warned that “certain point-of-sale (PoS) devices in some Forever 21 stores were affected” where encryption may not have been utilized.

In an update, the retailer has now revealed the results of the investigation.

According to the company, PoS devices used to facilitate customer purchases at some stores was not “always on,” leading to the installation of malware and unauthorized network access.

The malware in question searched for payment track data and gleaned information from cards including card numbers, expiration dates, and internal verification codes.

Forever 21 says that on “occasion” the cardholder name was also stolen.

The malware was operating in some outlets from April 3, 2017, to November 18, 2017.

“In some stores, this scenario occurred for only a few days or several weeks, and in some stores, this scenario occurred for most or all of the timeframe,” the company says. “Each Forever 21 store has…