In a statement released late last Friday, the Los Angeles-based company said it learned of the breach on Aug. 5, when the U.S. Department of Justice in Boston charged 11 people in connection with the theft and sale of credit cards from major retailers, including TJX Companies Inc. The Secret Service told Forever 21 that morning it was among the retail victims in the indictment and gave it a disk of possibly compromised file data, the company said.
An investigation by forensic consultants showed that intruders accessed transaction data of approximately 98,930 credit and debit cards, Forever 21 said. Of those numbers, 20,500 were stolen from a Fresno store's transaction data. The company said the theft may have affected customers who shopped at its stores on nine dates starting in March 2004 and ending in August 2007. Customers who shopped at the Fresno store between November 2003 and October 2005 may also be affected.
According to Forever 21, the compromised data included credit and debit card numbers and some expiration dates and other card data but not customer names and addresses. More than half of the payment cards are no longer active or have expired, the company said.
"We have been working with our acquiring bank and payment card networks to resolve the situation," the company said
Forever 21 also said its systems were certified as compliant with the Payment Card Industry Data Security Standard, including its encryption requirements. Since learning of the incident the company has adopted additional security measures.
"The fact of the matter is someone being PCI compliant doesn't necessarily mean they won't get attacked or have fraud committed against them," said Ed Moyle, a founding partner at SecurityCurve, a consulting firm based in Amherst, N.H.
Moyle said the way the breach played out was unfortunate, with Forever 21 customers not having the opportunity to take steps to cancel their cards or step up oversight of their bills sooner. "It's a pretty significant breach," he added.
Rich Mogull, an independent consultant and founder of Securosis LLC, wrote in an email that "until very recently the vast majority of retailers were extremely vulnerable to attack." Many retailers still are vulnerable, but there's been incremental improvement, he said.
"There are so many successful attacks and disclosures these days that it's literally just becoming background noise," Mogull added. "Fortunately, consumers are fairly well protected from credit card fraud as long as they keep an eye on their statements. It's the retailers and merchant banks that really pay the costs."
According to published reports, one of the suspects charged last month with the thefts from TJX and other retailers, Damon Patrick Toey, pleaded guilty last week to credit card fraud, aggravated identity theft and other crimes. The suspects allegedly stole payment card information by wardriving and hacking into vulnerable wireless networks.
In March of 2007, TJX disclosed that hackers had stolen at least 45.7 million customer credit and debit card data.