Last Friday, Forever 21 issued a notice on their website stating that their systems were illegally accessed to obtain customer payment card information. Approximately 98,930 credit and debit card numbers were illegally accessed, but more than half of the affected payment card numbers are no longer active or have expired expiration dates.

We have determined that this incident may have affected a subset of our customers who shopped at our stores on the following nine dates: March 25, 2004; March 26, 2004; June 23, 2004; July 2, 2004; July 3, 2004; August 4, 2007; August 5, 2007; August 13, 2007; and August 14, 2007. In addition, the incident may have affected customers who shopped at our Fresno, California store located at 567 E. Shaw Ave. between November 26, 2003 and October 24, 2005.

On August 5, 2008, the U.S. Department of Justice in Boston filed indictments against 3 individuals alleged to have committed crimes involving credit card fraud against 12 retailers. That morning, Forever 21 was contacted by the U.S. Secret Service and was advised that our company was identified in the indictment as one of the retail victims. We subsequently received from the Secret Service a disk of potentially compromised file data. We promptly retained forensic consultants to help us examine the file data and our systems. Based on that investigation, we believe that the unauthorized persons accessed older credit and debit card transaction data for approximately 98,930 credit and debit card numbers. Approximately 20,500 of these numbers were obtained from the Fresno store transaction data. The data included credit and debit card numbers and in some instances expiration dates and other card data, but did not include customer name and address. More than half of the affected payment card numbers are no longer active or have expired expiration dates.

If you are interested in other security breaches, the Data Loss Database is a very good resource. They even have an entry for Forever 21 incident.