Forever 21 Clarifies Data Breach Details
Evan Schuman writes on StorefrontBacktalk:
On Sept. 12, Forever 21 issued a statement that the chain had been wirelessly breached repeatedly between March 25, 2004, and Aug. 14, 2007, and that thieves "accessed older credit and debit card transaction data for approximately 98,930 credit and debit card numbers," including about 20,500 card numbers taken from one particular store in Fresno, Ca.. "The data included credit and debit card numbers and, in some instances, expiration dates and other card data, but did not include customer name and address. More than half of the affected payment card numbers are no longer active or have expired expiration dates."More here.
It's not clear what the "other card data" was but expiration date retention was likely not in compliance with PCI rules, but it's possible that data could have been grabbed during authorization verification. Forever 21's statement said that "our systems have been certified to be in compliance with the PCI standards, including the data encryption standards," but it didn't say specifically when they were certified, other than "since 2007."
The Forever 21 statement was also vague on information about how and when it learned of the breach. Similar to a statement issued by fellow TJX Breach victim Barnes & Noble, Forever 21 now says that it was contacted by the U.S. Secret Service on the morning of Aug. 5, 2008, "and was advised that our company was identified in the indictment as one of the retail victims."