The Forever 21 data breach is worse than feared – here's what happened

It went on for months, and happened because a safety measure wasn't turned on everywhere.

What happened?

If you shopped at a Forever 21 store in 2017, there's a chance your credit/debit card information has been stolen.

The clothing retailer – which first alerted people to the possibility of a breach in November – recently offered more details about how and when it happened.

What information was taken?

In most cases, payment card data: so the card number, expiration date, and an "internal verification code, according to Forever 21.

But there were some instances that the cardholder name was scraped up by the malware as well.

Which stores were affected?

Forever 21 isn't saying, only revealing that it was across the U.S. and happened over the course of about seven months.

The timeline the retailer gives is from April 3 through Nov. 18, 2017. In some stores, the unauthorized access went on nearly that entire time; in others, it was a matter of weeks, or even just a few days.

And it was only physical shops – online purchases weren't affected.

OK, so how did this happen?

Forever 21 didn't turn on some safety measures it had. 

The company says it's used an encryption technology for payment processing systems since 2015. In October of 2017, they were alerted to possible unauthorized access to that data, so hired people to investigate.


5 things you should take away from the Explore Minnesota Facebook page hack

The investigation found that the encryption technology simply wasn't turned on at some point-of-sale devices (the thing that reads and processes your card) in an unspecified number of Forever 21 stores.

That allowed malware to be installed on some of those point-of-sale machines. That malware would search for payment card data as it was being routed through the device – usually only getting the number and expiration date, but occasionally acquiring the cardholder name too.

Is that it?

Not quite. While the encryption was off and malware was installed between early April and mid-November, credit/debit cards from earlier purchases might also be affected.

That's because Forever 21 stores have a device that logs all completed card payment authorizations. If the encryption was off, payment card data was being stored there too. 


– The Tip Jar: Should you accept Equifax's free credit lock offer?

At some of the affected stores, the malware would look at that log – and could scoop up any payment card data that was saved there, including from before April 3.

What is Forever 21 doing about it?

Forever 21 says it's sorting out the point-of-sale device and encryption issues, and working with security firms to "enhance ... security measures."

The company is also alerting card issuers, so banks know about it.

And what should I be doing?

If you shopped at Forever 21 in 2017, keep an eye on your card accounts.

If you see any charges for something you didn't buy, call your bank or card issuer ASAP. (The number is usually on the back of your card.)

You can also check out your credit reports free of charge for any unusual activity, in case another line of credit has been applied for/opened in your name).

You're entitled to one free credit report every 12 months from each of Equifax, Experian and TransUnion, which you can get from

Next Up