Forever 21 Cards Compromised in Data Thefts

Nearly 99,000 payment cards used by customers at several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004.

In a statement released last week and posted on the discount retailer's Web site, the Los Angeles-based company said it discovered the thefts only after being notified of them by the U.S. Department of Justice in Boston on Aug. 5. There was no explanation for why the company waited more than a month after it discovered the compromise to notify affected customers about it.

The DOJ last month filed indictments against three people who allegedly hacked into computer systems belonging to 12 retailers to steal payment card data -- including a much-publicized breach at TJX Companies Inc. . Forever 21 said it was notified by the DOJ that it was one of the victims of those attacks and was given a disk containing "potentially compromised file data."

A subsequent forensic analysis revealed that transaction data for approximately 98,930 credit and debit card numbers had been illegally accessed, with more than 20,000 of the transactions made at the company's Fresno store. The company's investigations indicated that the intrusions affected customers who shopped at the company's stores on nine specific dates. The first intrusion dated back to March 25, 2004, the most recent one occurred Aug. 14, 2007.

The compromised data included credit and debit cards, expiration dates "and other card data," but did not include customer names or addresses. More than half of the compromised payment cards are either inactive or have expired, the company said. The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company's systems were broken into nine separate times.

Forever 21 stressed that it has complied with the requirements of the credit card industry's Payment Card Industry Data Security Standards (PCI DSS) since they went into effect. And it noted it has been certified as being PCI-compliant since 2007. It was not immediately clear whether that compliance was achieved before or after August 2007, when four of the illegal data access incidents took place.

Company officials did not return a phone call seeking comment. A toll-free number set up by Forever 21 to answer questions from customers offered an automated recording repeating what the company had said in its statement but offered no new details. The recording invited callers to leave their names and phone numbers with the promise that someone from the company would get back to them. A message seeking comment left at that number was not returned either. The incidents cited by Forever 21 appear linked to the early August arrests of 11 people on credit card fraud-related charges. They are believed responsible for a series of data heists at 12 major retailers, including TJX Companies Inc., Forever 21, BJ Wholesale Clubs Inc, DSW Inc. Office Max Inc., Barnes and Noble and Sports Authority.

Last week, one of the arrested individuals, Damon Patrick Toey, pleaded guilty to four felony counts, including wire and credit card fraud and aggravated identity theft. He faces up to five years in prison for each of the felony counts plus an additional $250,000 in fines for each count.

Court papers filed in connection with Toey's arrest and that of other individuals arrested in connection with the data thefts reveal that many of the intrusions were done by taking advantage of weak wireless security at individual retail store locations.

Such incidents highlight the growing need for retailers to implement better security controls at the store level, said Rosen Sharma, chief technology officer at Solidcore Systems Inc. a Cupertino, Calif.-based security vendor.

Until relatively recently, the PCI mandate did not require merchants to implement specific controls for protecting their store systems and networks from being tampered with or broken into, Sharma said. This has made these systems particularly attractive targets for data thieves looking for an easy entry point into a retail network. Often, retail stores locations have little to no physical or virtual security controls and are manned by staff with little knowledge about computer security issues, he said.

This story, "Forever 21 Cards Compromised in Data Thefts" was originally published by Computerworld.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon