Man typing on laptop with alert sign showing data breach of fashion retailer

Data Breach at Apparel Giant Forever 21 Impacts Over 500,000 Individuals

Apparel giant Forever 21 has confirmed a data breach that impacted over 500,000 current and former employees.

In a written notices sent to potential victims, Forever 21 said it detected a cyber incident on March 20, 2023, that compromised a limited number of computer systems.

The fashion retailer launched an investigation, engaged external cyber experts, and notified law enforcement agencies. The probe revealed that an authorized party accessed Forever 21’s computer systems numerous times between January 5, 2023, and March 21, 2023, and exfiltrated selected files.

Based in Los Angeles, California, Forever 21 stocks apparel, beauty, and home products nationwide at over 500 brick-and-mortar and ecommerce stores and employs over 50,000 people. In 2019, the company filed for bankruptcy and was acquired by Authentic Brands Group, Brookfield Properties, and Simon Property Group.

Forever 21 data breach poses minimal security risk

Forever 21 said there was no evidence to suggest the information has been misused for purposes of fraud or identity theft and does not believe it will ever be.

Additionally, the fashion retailer assured the victims that it took steps to ensure the threat actor no longer had access to the information, suggesting that a ransom was paid.

However, guaranteeing hackers had deleted the stolen information and would not misuse or sell it is complicated even after paying the ransom.

However, the company does not believe the intruder further copied, retained, or shared any of the data, and therefore, the risk to individuals whose personal information was leaked is low. Usually, the full impact of a data breach takes months or years to become apparent.

“While there are currently no known instances of identity theft having occurred because of this breach, the data could easily be bundled and sold on the dark web and not used for months or even years. Information such as a social security number does not expire and can be useful for attackers for decades,” said Erich Kron, security awareness advocate at KnowBe4.

Meanwhile, Forever 21 has determined that the exposed data included the victims’ names, Social Security numbers, date of birth, bank account numbers, and information about Forever21 health plans, including enrollment and premiums paid.

“This is a significant number of records that contain very sensitive information that have been potentially compromised, leaving a lot of current and past employees at risk for identity theft or targeted phishing attacks,” Kron opined.

According to a data breach notification filed with Maine’s Attorney General’s Office, the data breach impacted 539,207 individuals.

The fashion retailer is offering 12 months of complimentary identity theft protection services with Experian IdentityWorks. Nevertheless, victims should remain vigilant for phishing emails, unauthorized transactions, or attempted account opening.

Data breach perpetrators unknown

Forever 21 did not explain how the threat actors breached its systems and if ransomware was involved. If so, the threat actor did not encrypt the company’s network or the retailer paid for the decryption key on time to avoid disruptions.

So far, no hacking group has claimed responsibility for the Forever 21 data breach, and the company has withheld that information, given that Forever 21 seems to be in contact with the threat actor.

The apparel giant is no stranger to data breaches. In 2017, Forever 21 reported a data breach involving customers’ credit card information at point-of-sale locations. The data leak posed a significant risk because Forever 21 failed to encrypt payment data, making it readily usable for nefarious purposes.

Between 2004 and 2007, the home goods retailer was the victim of a retail hacking campaign that also impacted others, such as OfficeMax, Boston Market, Barnes & Noble, and Sports Authority.

The hacking campaign leaked over 40 million credit and debit card numbers, leading to the indictment and arrest of eleven alleged perpetrators.