Fashion chain Forever 21 has suffered what it has described as a "data security incident" that saw a hacker gain access to its systems for months, and exposed the personal details of 539,207 current and former employees.
In a data breach notification filed with the Maine Attorney General’s Office, Forever 21 revealed that it first realised an "unauthorized third party" had accessed some of its systems on March 20 2023. A subsequent investigation determined that the security breach occurred at various times between January 5 and March 21 2023 before, presumably, the hacker's access was blocked.
Files obtained by the intruder during that time contained sensitive information about past and present employees, including:
The company says it has "no evidence" to suggest the accessed information has been misused for purposes of fraud or identity theft, "and no reason to believe that it will be."
It's nice to hear that Forever 21 feels confident that nothing bad has happened, and that nothing will be in future - but (as has been pointed out many times before) an absence of evidence is not the same as having the evidence of absence.
It may be that nothing bad has happened with some of the personal data leaked at Forever 21, and will never in the future, but how can anyone - let alone a fashion retailer - know that with any certainty? Just because no-one has told them the information has been abused, or no-one has linked abuse of over half a million people's personal information to the Forever 21 breach earlier this year does not mean that it hasn't happened, and will never happen in the future.
Forever 21 also states that it does not believe that the breaches data was copied, retained, or shared by the third party who accessed it. Without more information (does it know who accessed the data?), it's hard to know how the company has come to that determination with any certainty.
The retailer says that the risk to former and current employees is "low."
It also believes that the third party hasn’t copied, retained, or shared any of the data, and therefore, the risk to individuals is low. Personally, I would err on the side of caution. To that end I would recommend current and former workers at the company take advantage of the firm's offer of complimentary 12 month identity protection, and keep their eye open for suspicious activity.
Unfortunately, this is not the first time that Forever 21 has suffered a security breach.
In 2017, the company warned customers to keep a close eye on their credit card statements after it suffered a data breach made worse by a failure to properly encrypt payment data at point-of-sales terminals.
And between 2004 and 2007, the details of almost 100,000 customers' payment cards were stolen from Forever 21. Forever 21 only learnt about that breach after it was contacted by the US Secret Service, which was investigating a gang who had launched a spate of attacks against retailers who were not securely encrypting credit and debit card transaction data.