Forever 21 was hit by a cyberattack.
Forever 21 is reporting a security incident that exposed sensitive personal information of some of its current and former workers.
In a filing with the Maine attorney general’s office, external counsel for the specialty apparel retailer disclosed that 539,207 of its present and previous employees were affected by a data breach that occurred between January and March 2023 and was discovered Aug. 4, 2023. An external systems hack exposed the names, Social Security numbers, dates of birth, bank account numbers (without access information), and health plan data of affected customers.
According to Cybernews, Forever 21 told affected employees it has no evidence any of the exposed data has been misused or that it was shared or copied. The retailer has taken steps to ensure that unauthorized access to the data has been removed and said risk to individuals is low (Read more here).
However, the retailer is offering 12 months of free Experian IdentityWorks fraud/credit monitoring services to anyone whose information may have been exposed.
In commentary emailed to Chain Store Age, Erich Kron, security awareness advocate at cybersecurity company KnowBe4, said the risk for those with exposed data is real.
“This is a significant number of records that contain very sensitive information that have been potentially compromised, leaving a lot of current and past employees at risk for identity theft or targeted phishing attacks,” said Kron. “While there are currently no known instances of identity theft having occurred because of this breach, the data could easily be bundled and sold on the dark web and not used for months or even years. Information such as a social security number does not expire and can be useful for attackers for decades.”
[Read more: Study: U.S. data breaches rise 83% from 2020-2022]
Based in Los Angeles, Forever 21 is a subsidiary of Authentic Brands Group and operates more than 572 locations globally and online.