Nearly 540,000 people have SSNs leaked after cyberattack on retailer Forever 21

Major clothing brand Forever 21 revealed a wide-ranging data breach this week affecting almost 540,000 people.

In a regulatory filing, the fast-fashion giant admitted that hackers had access to its systems from January 5 to March 21 of this year.

The company discovered the breach on March 20 and launched an investigation, finding that names, Social Security numbers, dates of birth, bank account numbers (without access code or pin), and information regarding employee health plans — including enrollment and premiums paid — was accessed by the hackers. A spokesperson for Forever 21 confirmed that the breach only affected current and former employees.

The company did not respond to requests for comment about whether it was a ransomware attack or whether a ransom was paid, but in the breach notification letters to victims, the company said it has “taken steps to help assure that the unauthorized third party no longer has access to the data.”

“We also notified law enforcement and continued to support their investigation. The investigation revealed that an unauthorized third party accessed certain Forever 21 systems at various times between January 5, 2023 and March 21, 2023,” the company said in its filing with Maine’s data breach disclosure site.

“Findings from the investigation indicate the unauthorized third party obtained select files from certain Forever 21 systems during this time period. We have no evidence to suggest your information has been misused for purposes of fraud or identity theft as a result of this incident – and no reason to believe that it will be,” Forever 21 said.

The 539,207 victims are being offered one year of free identity protection services.

The California-based company declared bankruptcy in 2019 but still operates hundreds of stores around the world, with more than 30,000 employees. At its peak, the company reported revenues of $4.4 billion.

Attacks like the Forever 21 incident continue to roil companies both big and small. Researchers at cybersecurity firm Check Point said the retail industry saw the highest increase in the number of cyberattacks in the first half of 2023.

On average, they found retailers saw 1,088 attempted attacks every week and the industry was the second most impacted by ransomware.

Check Point’s Tony Sabaj told Recorded Future news that the penalties and damage of a breach are high but not damaging enough to prompt companies to take more preemptive action.

Last year, New York regulators fined another fast-fashion giant — Shein — $1.9 million for alleged data security and consumer protection failures related to a 2018 breach. Forever 21 had announced its own breach in 2017 after finding hackers accessed data from payment cards used at certain stores.

“Retail specifically is a target since they are operating on small margins and do not fund cybersecurity as much as say a financial institution,” Sabaj said. “They also have many points of entry and low skilled workers.”