Forever 21 encountered what it termed a cyber incident that impacted a “limited number” of its systems on March 20, 2023. The investigation unveiled that an unauthorized third party accessed files from specific systems between Jan. 5, 2023, and March 21, 2023. The fast-fashion retailer believes that the third party hasn’t copied, retained or shared any of the data, and therefore, the risk to individuals is low. According to the data breach notice with the Maine Attorney General’s Office, the incident might have impacted 539,207 people. The compromised data included name, social security number, date of birth, bank account number (without access codes or PINs), and information regarding health plans.
Total Retail's Take: Many retailers have safeguards in place to protect the security of their customers' data, but are the same steps being taken for employees' personally identifiable information? Data security protocols should extend across all information that a retailer collects and stores, be it customer, employee, product, competitor, etc.
Erich Kron, security awareness advocate at cybersecurity company KnowBe4, commented: “This is a significant number of records that contain very sensitive information that have been potentially compromised, leaving a lot of current and past employees at risk for identity theft or targeted phishing attacks. While there are currently no known instances of identity theft having occurred because of this breach, the data could easily be bundled and sold on the dark web and not used for months or even years. Information such as a social security number doesn't expire and can be useful for attackers for decades. Potential victims of this breach should remain alert and watch for phishing emails and potential credit requests, as well as consider locking their credit to keep new accounts from being opened without their knowledge.”