Encryption is usually used by the store to protect its payment processing system, but in some stores, the encryption was sometimes off, opening up their point of sale terminals to malware. Not every terminal in every affected store was infected with the malware and not every store was impacted during the full time period of the breach. In some cases, credit card data stored in certain system logs prior to April 3rd were also exposed.

Forever 21 said payment processing systems outside of the US work differently but that it was investigating whether non-US stores were affected as well. Purchases made through its website weren't impacted by the breach.

Chipotle and GameStop suffered similar breaches this year while hotel giant HEI announced it was hit with the same type of data breach last year.

In a statement, Forever 21 said, "In addition to addressing encryption, Forever 21 is continuing to work with security firms to enhance its security measures. We also continue to work with the payment card networks so that the banks that issue payment cards can be made aware of this incident. Lastly, we will continue to support law enforcement's investigation of this incident."