Fashion retailer Forever 21 has notified 539,207 current and former employees about a breach that occurred over an 8-week period from January to March. The breach notification has raised concerns due to its contradictory language that claims to take privacy and security seriously but leaves unanswered questions.
Furthermore, the breach exposed victims’ personal information, including names, Social Security numbers, birthdates, bank account numbers, and health plan details. Forever 21’s notification, typical of many breach communications, states that there’s “no evidence” of information misuse, but experts caution against assuming that absence of evidence is evidence of absence in cybersecurity matters.
The breach, spotted by Forever 21 in March and investigated by external cybersecurity experts until August, resulted in the unauthorized access and theft of files from the company’s systems. The attackers targeted multiple systems and accessed information from January to March. The notification also highlights that the retailer’s attacker no longer has access to the stolen data, although the wording raises questions about the steps taken to secure the systems.
Additionally, this vagueness has led some to speculate whether the company may have paid the attacker to delete the stolen data. The breach comes after a 2018 attack involving point-of-sale malware, raising concerns about the company’s overall security practices and transparency.
