Skip to main content

The Forever 21 data breach is worse than feared – here's what happened

It went on for months, and happened because a safety measure wasn't turned on everywhere.

What happened?

If you shopped at a Forever 21 store in 2017, there's a chance your credit/debit card information has been stolen.

The clothing retailer – which first alerted people to the possibility of a breach in November – recently offered more details about how and when it happened.

What information was taken?

In most cases, payment card data: so the card number, expiration date, and an "internal verification code, according to Forever 21.

But there were some instances that the cardholder name was scraped up by the malware as well.

Which stores were affected?

Forever 21 isn't saying, only revealing that it was across the U.S. and happened over the course of about seven months.

The timeline the retailer gives is from April 3 through Nov. 18, 2017. In some stores, the unauthorized access went on nearly that entire time; in others, it was a matter of weeks, or even just a few days.

And it was only physical shops – online purchases weren't affected.

OK, so how did this happen?

Forever 21 didn't turn on some safety measures it had. 

The company says it's used an encryption technology for payment processing systems since 2015. In October of 2017, they were alerted to possible unauthorized access to that data, so hired people to investigate.


5 things you should take away from the Explore Minnesota Facebook page hack

The investigation found that the encryption technology simply wasn't turned on at some point-of-sale devices (the thing that reads and processes your card) in an unspecified number of Forever 21 stores.

That allowed malware to be installed on some of those point-of-sale machines. That malware would search for payment card data as it was being routed through the device – usually only getting the number and expiration date, but occasionally acquiring the cardholder name too.

Is that it?

Not quite. While the encryption was off and malware was installed between early April and mid-November, credit/debit cards from earlier purchases might also be affected.

That's because Forever 21 stores have a device that logs all completed card payment authorizations. If the encryption was off, payment card data was being stored there too. 


– The Tip Jar: Should you accept Equifax's free credit lock offer?

At some of the affected stores, the malware would look at that log – and could scoop up any payment card data that was saved there, including from before April 3.

What is Forever 21 doing about it?

Forever 21 says it's sorting out the point-of-sale device and encryption issues, and working with security firms to "enhance ... security measures."

The company is also alerting card issuers, so banks know about it.

And what should I be doing?

If you shopped at Forever 21 in 2017, keep an eye on your card accounts.

If you see any charges for something you didn't buy, call your bank or card issuer ASAP. (The number is usually on the back of your card.)

You can also check out your credit reports free of charge for any unusual activity, in case another line of credit has been applied for/opened in your name).

You're entitled to one free credit report every 12 months from each of Equifax, Experian and TransUnion, which you can get from

Next Up

fire truck

Explosion reported near Hastings; man airlifted to hospital

Authorities say the victim has serious injuries.

Screen Shot 2022-10-05 at 2.30.07 PM

School faces uncertain future after land sold to Catholic nonprofit

The school near Marine on St. Croix sits on land that's just been sold.


Boy suffers 'life-threatening' injuries in car-bike collision in Minneapolis

Police said the driver is cooperating with the investigation.

North Memorial Health Hospital

Man dies from gunshot wounds after Minneapolis shooting

The death marked the 69th homicide of the year in the city.


Gallery: Island cabin is one of northernmost homes for sale in MN

Want to buy one of the northernmost homes on the market in Minnesota?

Screen Shot 2022-09-30 at 4.54.42 PM

Charges: Houston men robbed Edina bank of $110,000

A third suspect has not yet been identified.

Arctic Monkeys

Arctic Monkeys coming to Minnesota for 2023 tour

The rock band hasn't gone on tour in the United States since 2019.


Forever 21 says it was probably hit by a data breach

If you bought something there with a card, this might affect you.

What happened to the proposal to stop internet providers selling MN customers' data?

It got a lot of support – but right now isn't included in any bill. Here's what is going on.

2 major security flaws are affecting millions of phones, computers – here's what you should do

And you probably have a device that's at risk. Here's what you should do about it.

This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?

Netflix remembers every time you pause a show (and a lot of other info)

It sees you when you're binging. It knows when you hit pause.

5 things you should take away from the Explore Minnesota Facebook page hack

What you should (and shouldn't) do to keep your accounts safe.