Computerworld - Nearly 99,000 payment cards used by customers at several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004.
In a statement released last week and posted on its Web site, the Los Angeles-based discount retailer said it discovered the thefts only after being notified of them by the U.S. Department of Justice in Boston on Aug. 5. There was no explanation for why the company waited more than a month after it discovered the compromise to notify affected customers.
The DOJ last month filed indictments against three people who allegedly hacked into computer systems belonging to 12 retailers to steal payment card data. The incidents covered in the indictments included a much-publicized breach at TJX Companies Inc. Forever 21 said it was notified by the DOJ that it was one of the victims of those attacks and was given a disk containing "potentially compromised file data."
A subsequent forensic analysis revealed that transaction data for approximately 98,930 credit and debit card numbers had been illegally accessed, with more than 20,000 of the transactions made at the company's Fresno store. The company's investigations indicated that the intrusions affected customers who shopped at its stores on nine specific dates. The first intrusion dated back to March 25, 2004, the most recent one occurred Aug. 14, 2007.
The compromised data included credit and debit card numbers, expiration dates "and other card data," but it did not include customer names or addresses. More than half of the compromised payment cards are either inactive or have expired, Forever 21 said. The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company's systems were broken into nine separate times.
Forever 21 stressed that it has complied with the requirements of the credit card industry's Payment Card Industry Data Security Standard (PCI DSS) since it went into effect. And it noted it has been certified as being PCI-compliant since 2007. It was not immediately clear whether that compliance was achieved before or after August 2007, when four of the illegal data access incidents took place.
Company officials did not return a phone call seeking comment. A toll-free number set up by Forever 21 to answer questions from customers offered an automated recording that repeated what the company had said in its statement but offered no new details. The recording invited callers to leave their names and phone numbers with the promise that someone from the company would get back to them. A message seeking comment left at that number was not returned either.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
