Nearly 99,000 payment cards used by customers at several Forever 21 retail stores may have been compromised in a series of data thefts dating back to August 2004.
In a statement released last week and posted on the discount retailer's Web site, the Los Angeles-based company said it discovered the thefts only after being notified of them by the US Department of Justice on August 5. There was no explanation for why the company waited more than a month after it discovered the compromise to notify affected customers about it.
The DOJ last month filed indictments against three people who allegedly hacked into computer systems belonging to 12 retailers to steal payment card data -- including a much-publicized breach at TJX Companies . Forever 21 said it was notified by the DOJ that it was one of the victims of those attacks and was given a disk containing "potentially compromised file data."
A subsequent forensic analysis revealed that transaction data for approximately 98,930 credit and debit card numbers had been illegally accessed, with more than 20,000 of the transactions made at the company's Fresno store. The company's investigations indicated that the intrusions affected customers who shopped at the company's stores on nine specific dates. The first intrusion dated back to March 25, 2004, the most recent one occurred August 14, 2007.
The compromised data included credit and debit cards, expiration dates "and other card data," but did not include customer names or addresses. More than half of the compromised payment cards are either inactive or have expired, the company said. The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company's systems were broken into nine separate times.
Forever 21 stressed that it has complied with the requirements of the credit card industry's Payment Card Industry Data Security Standards (PCI DSS) since they went into effect. And it noted it has been certified as being PCI-compliant since 2007. It was not immediately clear whether that compliance was achieved before or after August 2007, when four of the illegal data access incidents took place.