Fashion retailer Forever 21 has started informing more than 500,000 individuals that their personal information was compromised in a data breach earlier this year.
In a sample notification letter submitted to the Maine Attorney General’s Office, the fashion retailer revealed that, on March 20, 2023, it identified a cyberattack that impacted some of its systems.
Forever 21’s investigation determined that the attackers had access to the company’s systems since at least January 5, 2023, and that they accessed those systems several times until March 21.
This month, the company discovered that the files the attackers had access to contained personal information, including names, birth dates, Social Security numbers, bank account numbers, and Forever21 health plans data.
Forever 21 told the Maine Attorney General that close to 540,000 individuals were impacted by the incident. The company’s description of the compromised data suggests that these are its employees.
The company also notes that it has no evidence to suggest that the stolen information “has been misused for purposes of fraud or identity theft”. However, such data is often shared between cybercriminals and used in phishing and other types of malicious attacks.
While the retailer shared no details on how the attackers breached its systems and whether file-encrypting ransomware was used, the notification letter suggests that it engaged in communication with the attackers and that a ransom might have been paid.
“Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data. In addition, Forever 21 has no indication that the unauthorized third party further copied, retained, or shared any of the data,” the company said.
SecurityWeek has emailed Forever 21 for clarification on the matter and will update this article as soon as a reply arrives.
Headquartered in Los Angeles, the company sells accessories, beauty products, clothing, and home goods through roughly 500 outlets and online. After filing for bankruptcy in 2019, Forever 21 was acquired by Authentic Brands Group, Brookfield Properties, and Simon Property Group.
Related: 10 Million Likely Impacted by Data Breach at French Unemployment Agency
Related: University of Minnesota Confirms Data Breach, Says Ransomware Not Involved
Related: Tesla Discloses Data Breach Related to Whistleblower Leak
