Forever 21 data breach affects half a million people

Clothing giant Forever 21 said a data breach earlier in the year affects more than half a million individuals.

A data breach notice filed with Maine's attorney general said the fashion giant was hacked over a three-month period beginning early January 2023, during which intruders obtained files from its systems. This data included the personal information of current and former employees, said Lorena Terroba Urruchua, a spokesperson for Forever 21 via public relations firm FTI Consulting, in an email to TechCrunch.

According to the notice, Forever 21 notified 539,207 people that the breached data included their name, date of birth, bank account number and Social Security number, as well as information regarding employees' Forever21 health plan, including enrollment and premiums paid.

Forever 21 did not describe the incident beyond a breach of its systems, but noted that, "Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data." It's not clear how Forever 21 obtained this claim of assurance. The ambiguous wording of the notice could imply the company paid the hacker in exchange for deleting the data.

It's not uncommon for ransomware and extortion groups to threaten to publish the data they steal if the victim does not meet a ransom demand, but security experts have long said it's not possible to trust that a threat actor has deleted the data as claimed.

Forever 21 spokesperson Terroba Urruchua declined to comment further.

Forever 21 has about 500 retail locations and an online store. It's the second data breach in recent years after a massive theft of credit card numbers from its store point-of-sale machines in 2017.

Last week, retail giant Shein and Forever 21 announced a partnership that would allow both brands to reach each others' customers, including a deal by Shein to acquire about a third of Forever 21's operator, Sparc Group. It's not clear if news of Forever 21's data breach would affect the partnership.

Corrected to note that only current and former employees affected, not customers.