Forever 21 Offers New Info for Customers Affected by Data Breach

Forever 21 is offering customers more information about a recently-discovered data breach that exposed its customers’ credit card information.

Following announcement of the data breach in November 2017, Forever 21 contracted with a third-party data security firm to investigate.

A notice recently posted on the Forever 21 website shows the results of that investigation and offers Forever 21 customers suggestions for what they can do to protect themselves from identity theft that could result from the data breach.

The company says it first learned of the data breach in October 2017, when a third-party vendor alerted the company that payment card data used at Forever 21 stores may have been exposed to unauthorized access.

Further investigation revealed evidence that the company’s network had been subject to unauthorized access. Malware designed to search for payment card data had been installed on the system, the company says.

The malware searched for card data as each card was used at the point of sale, the notice reads. In most cases, the malware was able to catch the card number, expiration date, and internal verification code, Forever 21 says. In some instances, the malware was able to get the cardholder’s name.

The investigation also found that encryption technology had not been always operational in the point-of-sales systems in some Forever 21 stores.

The malware and disabled encryption affected the point-of-sales systems at certain Forever 21 stores between April 3 and Nov. 18, 2017. Different stores’ systems were affected at different times. Forever 21 says some stores’ systems were affected only for a few days or weeks, and others were affected for the full duration of the overall incident.

Within affected stores, some point-of-sale devices may have been affected while others were not, the company says. The announcement does not state which stores were affected. Credit and debit cards used on the company’s retail website were not affected by the breach, according to the announcement.

Forever 21 says it has been working with its vendors and data security experts to assess the encryption technology at work in all of its stores and to improve its current data security measures. The investigation has yet to determine whether the data breach affected Forever 21 stores outside the U.S., which use a different point-of-sale system.

The company recommends customers keep an eye on their credit and debit card statements for any unauthorized activity. Any unauthorized charges should be reported to the card issuer as soon as possible. Cardholders can avoid responsibility for unauthorized charges that are reported in a timely manner, Forever 21 notes.

Affected Forever 21 customers are also advised to keep an eye on the contents of their credit reports. Customers can request free copies of their credit reports from each of the three major credit reporting agencies – Equifax, Experian and TransUnion – through the website AnnualCreditReport.com or by calling 1-877-322-8228. Federal law allows consumers to request at least one free credit report per year per agency.

UPDATE: On April 10, 2018, two plaintiffs filed a class action lawsuit against Forever 21 over allegations that a data breach left consumers vulnerable to identity theft.