Company officials did not return a phone call seeking comment. A toll-free number set up by Forever 21 to answer questions from customers offered an automated recording repeating what the company had said in its statement but offered no new details. The recording invited callers to leave their names and phone numbers with the promise that someone from the company would get back to them. A message seeking comment left at that number was not returned either. The incidents cited by Forever 21 appear linked to the early August arrests of 11 people on credit card fraud-related charges. They are believed responsible for a series of data heists at 12 major retailers, including TJX Companies, Forever 21, BJ Wholesale Clubs, DSW, Office Max, Barnes and Noble and Sports Authority.
Last week, one of the arrested individuals, Damon Patrick Toey, pleaded guilty to four felony counts, including wire and credit card fraud and aggravated identity theft. He faces up to five years in prison for each of the felony counts plus an additional US$250,000 in fines for each count.
Court papers filed in connection with Toey's arrest and that of other individuals arrested in connection with the data thefts reveal that many of the intrusions were done by taking advantage of weak wireless security at individual retail store locations.
Such incidents highlight the growing need for retailers to implement better security controls at the store level, said Rosen Sharma, chief technology officer at Solidcore Systems.
Until relatively recently, the PCI mandate did not require merchants to implement specific controls for protecting their store systems and networks from being tampered with or broken into, Sharma said. This has made these systems particularly attractive targets for data thieves looking for an easy entry point into a retail network. Often, retail stores locations have little to no physical or virtual security controls and are manned by staff with little knowledge about computer security issues, he said.