Skip to content

Forever 21 Suffers Credit Card Breach

In yet another episode of the eternal conga line of breaches and thefts, Forever 21 recently announced that hackers stole credit card data from their stores.

What Happened to Forever 21?

Forever 21 has not-so-kindly kept most of the details private so far. We do know that Forever 21 began upgrading the encryption and tokenization of Point-of-Sale terminals in their stores in 2015. However, some stores did not upgrade their terminals by 2017. The breach itself began in March 2017 and ended in October, as far as the company knows. An as-yet-unknown third party reported the breach to Forever 21, and the company has hired another security company to investigate. The company will not disclose what stores the hackers infected, nor will they confirm the exact timeframe of the breach. As far as we know, the company has not reached out to potentially-impacted customers.

The Official Company Statement

FOREVER 21 is notifying its customers that it recently received a report from a third party that suggested there may have been unauthorized access to data from payment cards that were used at certain FOREVER 21 stores. Forever 21 immediately began an investigation of its payment card systems and engaged a leading security and forensics firm to assist.

Because of the encryption and tokenization solutions that FOREVER 21 implemented in 2015, it appears that only certain point of sale devices in some FOREVER 21 stores were affected when the encryption on those devices was not in operation. The company’s investigation is focused on card transactions in FOREVER 21 stores from March 2017 – October 2017. Because the investigation is continuing, complete findings are not available, and it is too early to provide further details on the investigation. FOREVER 21 expects to provide an additional notice as it gets further clarity on the specific stores and timeframes that may have been involved.

It is always advisable for customers to closely monitor their payment card statements. If customers see an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.

We regret that this incident occurred and apologize for any inconvenience. We will continue to work to address this matter. For more information, please visit

We will provide more updates as they become available.

More Reading

About Secure Compliance Solutions LLC

Secure Compliance Solutions LLC (SCS) provides a wide range of cybersecurity consulting and managed security services to small and medium sized businesses (SMB) and government agencies, fortifying their Information Security and Data Privacy programs.  SCS works with its clients to tailor and implement industry-proven frameworks and standards to meet compliance goals and drive consistent security operations. We raise awareness of current security trends and risks to prepare personnel to recognize and defend against potential security issues.  We implement technical solutions and controls to minimize data risks and liabilities.  Our Managed Security Service provides “constant watch” against both internal and external cyber threats and attacks.  At SCS, we promote a strategy of readiness and resilience that facilitates business risk mitigation and enables dynamic response capabilities to keep your business up and running.