In 2017, fashion retailer Forever 21 experienced a malware attack on its card payment system that compromised customers’ payment cards. The breach was an embarrassment on a number of levels because the attacker had access to their system for about 7 months, and Forever 21 did not seem to have discovered the breach on their own. Fast forward to 2023 and Forever 21 is notifying almost 540,000 current and former employees of a breach earlier this year.
According to a template of their notification letter, submitted by their external counsel to the Maine Attorney General’s Office: on March 20, 2023, Forever 21 identified “a cyber incident that impacted a limited number of systems.” A subsequent investigation determined that an unauthorized third party accessed certain Forever 21 systems at various times between January 5, 2023 and March 21, 2023. The notification does not explain how the unauthorized individual managed to gain access.
While Forever 21 does not forthrightly state that there was an extortion demand, the wording of their letter suggests that not only was there a demand, but Forever 21 paid the attacker(s) to get assurances that the data were deleted. They write:
We have no evidence to suggest your information has been misused for purposes of fraud or identity theft as a result of this incident – and no reason to believe that it will be. Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data. In addition, Forever 21 has no indication that the unauthorized third party further copied, retained, or shared any of the data. As a result, we believe the risk to individuals whose personal data was involved in this event is low.
Well, the risk is only low if the criminal(s) told the truth. And of course, criminals do not always tell the truth, so let’s take all those reassuring statements and put them aside.
The files contained the personal and protected health information of employees who were enrolled in the firm’s health plan, such as their name, Social Security number, date of birth, bank account number (without access code or pin), and information regarding their Forever21 health plan, including enrollment and premiums paid.
The firm’s submission to the Maine Attorney General’s Office indicates that 539,207 are being notified.
This incident should be a reportable breach under HIPAA because it involves members health plan information. It has not yet shown up on HHS’s public breach tool, and the number reported to HHS (assuming, for now, that Forever 21 will report it to HHS) may be significantly lower than the total number of employees being notified.