CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
September 18th, 2008

Almost 99,000 Credit Cards Compromised In Data Theft In “Forever 21″ Retail Stores

Payment cards used by customers of several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004. Forever 21, a discount retailer company based in Los Angeles, have been notified by the U.S. Department of Justice in Boston on Aug. 5. There was no explanation for why the company waited more than a month after it discovered the compromise to notify affected customers about it. Forever 21 discovered the thefts only after being notified of them by the Department of Justice, according to a statement released last week and posted on the discount retailer’s Web site.

The Department of Justice (DOJ) last month filed indictments against three people who allegedly hacked into computer systems belonging to 12 retailers to steal payment card data, including a much-publicized breach at TJX Companies. Forever 21 said it was notified by the DOJ that it was one of the victims of those attacks and was given a disk containing “potentially compromised file data.”

A subsequent forensic analysis revealed that transaction data for approximately 98,930 credit and debit card numbers had been illegally accessed, with more than 20,000 of the transactions made at the company’s Fresno store. The company’s investigations indicated that the intrusions affected customers who shopped at the company’s stores on nine specific dates. The first intrusion dated back to March 25, 2004, the most recent one occurred Aug. 14, 2007.

The compromised data included credit and debit cards, expiration dates “and other card data,” but did not include customer names or addresses. More than half of the compromised payment cards are either inactive or have expired, the company said. The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company’s systems were broken into nine separate times.

Forever 21 stressed that it has complied with the requirements of the credit card industry’s Payment Card Industry Data Security Standards (PCI DSS) since they went into effect. And it noted it has been certified as being PCI-compliant since 2007. It was not immediately clear whether that compliance was achieved before or after August 2007, when four of the illegal data access incidents took place.

The incidents cited by Forever 21 appear linked to the early August arrests of 11 people on credit card fraud-related charges. They are believed responsible for a series of data heists at 12 major retailers, including TJX Companies Inc., Forever 21, BJ Wholesale Clubs Inc, DSW Inc. Office Max Inc., Barnes and Noble and Sports Authority.

Share this item with others:

More on CyberInsecure:
  • Spanish Payment Breach Prompts Huge German Card Recall
  • Forcht Bank Disables 8500 Debit Cards After Breach
  • Credit Cards Data Stolen In 1st Source Bank Intrusion
  • 4.2 Million Records Stolen In Supermarket Data Breach
  • Identity Theft Scam In Lunardi’s Supermarket In Los Gatos

    • Posted in Breaches And Incidents, Data Theft | Print This Post Print This Post

    This entry was posted on Thursday, September 18th, 2008 at 12:20 pm and is filed under Breaches And Incidents, Data Theft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Almost 99,000 Credit Cards Compromised In Data Theft In “Forever 21″ Retail Stores

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »