Fashion retailer Forever 21 has revealed a data breach that has affected more than 500,000 individuals. The breach, which took place over three months starting in early January 2023, saw unauthorized access to the company’s systems, compromising sensitive data.
According to a data breach notice submitted to the Maine attorney general’s office, the breach exposed the personal information of both current and former employees. Lorena Terroba Urruchua, a spokesperson for Forever 21 via the public relations firm FTI Consulting, confirmed the breach in an email communication with TechCrunch.
The breached data includes details such as names, dates of birth, bank account numbers, Social Security numbers, and information related to employees’ health plans at Forever 21, encompassing details about enrollment and premiums paid.
While Forever 21 acknowledged the breach of its systems, the company did not provide specific details about the nature of the incident. However, the statement noted, “Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data.” It remains to be seen how the company verified this assurance claim, leading to speculation that a ransom or payment may have been involved, although this has yet to be confirmed.
It is typical for cybercriminals, especially those involved in ransomware and extortion schemes, to threaten the release of stolen data unless a ransom demand is met. However, cybersecurity experts have consistently cautioned against trusting these claims, as there is no guarantee that threat actors have deleted the compromised data.
Forever 21’s spokesperson, Terroba Urruchua, declined further comments on the incident.
This data breach marks the second major cybersecurity incident for Forever 21 in recent years, following a large-scale theft of credit card numbers from its in-store point-of-sale systems in 2017.
The disclosure of this data breach comes at an interesting time for Forever 21, as it recently announced a partnership with retail giant Shein. This collaboration aims to facilitate access to each other’s customer bases, with Shein also acquiring a significant stake in Sparc Group, the operator of Forever 21. Whether news of this data breach will impact the newly formed partnership remains to be seen.
Forever 21, known for its approximately 500 retail locations and online store, faces the challenge of addressing the fallout from this breach while continuing to operate in an ever-evolving cybersecurity landscape.