Nearly 99,000 payment cards used by customers in the Forever 21 US clothes store chain may have been compromised in data thefts since August 2004.
In a statement released last week and posted on the retailer's website, the company said it discovered the thefts only after being notified of them by the US Department of Justice on 5 August. There was no explanation for why the company waited more than a month after it discovered the compromise to notify affected customers about it.
The DOJ last month filed indictments against three people who allegedly hacked into computer systems belonging to 12 retailers to steal payment card data - including a much-publicised breach at TJX Companies . Forever 21 said it was notified by the DOJ that it was one of the victims of those attacks and was given a disk containing "potentially compromised file data".
A subsequent forensic analysis revealed that transaction data for approximately 98,930 credit and debit card numbers had been illegally accessed, with more than 20,000 of the transactions made at the company's Fresno store. The company's investigations indicated that the intrusions affected customers who shopped at the company's stores on nine specific dates. The first intrusion dated back to March 2004 and the most recent one occurred in August last year.
The compromised data included credit and debit cards, expiration dates "and other card data" but did not include customer names or addresses. More than half of the compromised payment cards are either inactive or have expired, the company said. The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company's systems were broken into nine separate times.
Forever 21 stressed that it has complied with the requirements of the credit card industry's Payment Card Industry Data Security Standards (PCI DSS) since they went into effect. And it noted it has been certified as being PCI-compliant since 2007. It was not immediately clear whether that compliance was achieved before or after August 2007, when four of the illegal data access incidents took place.
Company officials did not return a phone call seeking comment. A toll-free number set up by Forever 21 to answer questions from customers offered an automated recording repeating what the company had said in its statement but offered no new details. The recording invited callers to leave their names and phone numbers with the promise that someone from the company would get back to them. A message seeking comment left at that number was not returned either.
The incidents cited by Forever 21 appear linked to the early August arrests of 11 people on credit card fraud-related charges. They are believed responsible for a series of data heists at 12 major retailers, including TJX Companies , Forever 21, BJ Wholesale Clubs Inc, DSW Office Max , Barnes and Noble and Sports Authority.
Last week, one of the arrested individuals, Damon Patrick Toey, pleaded guilty to four felony counts, including wire and credit card fraud and aggravated identity theft. He faces up to five years in prison for each of the felony counts plus an additional $250,000 in fines for each count.
Court papers filed in connection with Toey's arrest and that of other individuals arrested in connection with the data thefts reveal that many of the intrusions were done by taking advantage of weak wireless security at individual retail store locations.
Such incidents highlight the growing need for retailers to implement better security controls at the store level, said Rosen Sharma, chief technology officer at Solidcore Systems, a security supplier.
Until relatively recently, the PCI mandate did not require merchants to implement specific controls for protecting their store systems and networks from being tampered with or broken into, Sharma said. This has made these systems particularly attractive targets for data thieves looking for an easy entry point into a retail network. Often, retail stores locations have little to no physical or virtual security controls and are manned by staff with little knowledge about computer security issues, he said.