Skip to main content

The Forever 21 data breach is worse than feared – here's what happened

It went on for months, and happened because a safety measure wasn't turned on everywhere.

What happened?

If you shopped at a Forever 21 store in 2017, there's a chance your credit/debit card information has been stolen.

The clothing retailer – which first alerted people to the possibility of a breach in November – recently offered more details about how and when it happened.

What information was taken?

In most cases, payment card data: so the card number, expiration date, and an "internal verification code, according to Forever 21.

But there were some instances that the cardholder name was scraped up by the malware as well.

Which stores were affected?

Forever 21 isn't saying, only revealing that it was across the U.S. and happened over the course of about seven months.

The timeline the retailer gives is from April 3 through Nov. 18, 2017. In some stores, the unauthorized access went on nearly that entire time; in others, it was a matter of weeks, or even just a few days.

And it was only physical shops – online purchases weren't affected.

OK, so how did this happen?

Forever 21 didn't turn on some safety measures it had. 

The company says it's used an encryption technology for payment processing systems since 2015. In October of 2017, they were alerted to possible unauthorized access to that data, so hired people to investigate.


5 things you should take away from the Explore Minnesota Facebook page hack

The investigation found that the encryption technology simply wasn't turned on at some point-of-sale devices (the thing that reads and processes your card) in an unspecified number of Forever 21 stores.

That allowed malware to be installed on some of those point-of-sale machines. That malware would search for payment card data as it was being routed through the device – usually only getting the number and expiration date, but occasionally acquiring the cardholder name too.

Is that it?

Not quite. While the encryption was off and malware was installed between early April and mid-November, credit/debit cards from earlier purchases might also be affected.

That's because Forever 21 stores have a device that logs all completed card payment authorizations. If the encryption was off, payment card data was being stored there too. 


– The Tip Jar: Should you accept Equifax's free credit lock offer?

At some of the affected stores, the malware would look at that log – and could scoop up any payment card data that was saved there, including from before April 3.

What is Forever 21 doing about it?

Forever 21 says it's sorting out the point-of-sale device and encryption issues, and working with security firms to "enhance ... security measures."

The company is also alerting card issuers, so banks know about it.

And what should I be doing?

If you shopped at Forever 21 in 2017, keep an eye on your card accounts.

If you see any charges for something you didn't buy, call your bank or card issuer ASAP. (The number is usually on the back of your card.)

You can also check out your credit reports free of charge for any unusual activity, in case another line of credit has been applied for/opened in your name).

You're entitled to one free credit report every 12 months from each of Equifax, Experian and TransUnion, which you can get from

Next Up

940 Margaret St, St Paul, MN 55106, United States - May 2019 (1)

4-year-old girl struck by hit-and-run driver in St. Paul

The girl was struck by the driver around 5 p.m. Monday.

Minneapolis police

Baby found safe inside car that was stolen in south Minneapolis

The incident happened near 32nd Street and Chicago Avenue around 7 p.m.

Anthony Edwards

Ant puts on a show to help Timberwolves beat Pacers

A third-quarter surge gave the Timberwolves their seventh win in their past eight games.

Mikko Koivu

Wild to retire Mikko Koivu's No. 9 jersey

Koivu will be the first player in franchise history to have his number retired.

Boebert-Omar - Flickr Gage Skidmore

Rep. Boebert refuses to apologize for Islamophobic comment toward Rep. Omar

A phone call Monday between the two lawmakers ended abruptly.

Patrick Peterson

Vikings place Patrick Peterson on COVID-19/reserve list

The Vikings cornerback said he was vaccinated in August.

flickr - thin ice warning - USFWS Midwest

'Numerous' reports of eager anglers falling through ice

Conditions are still unpredictable, and can vary even across a single body of water.


Minnesota health officials watching closely for omicron variant

Health leaders do not yet know how transmissible or severe the new variant is.

school bus stop pixabay

School bus driver charged in fatal hit-and-run will plead guilty

Another motorist told the driver to call 911, but he instead got on the bus and drove off, charges say.

Franconia Sculpture Park - Lorie Shaull - Flickr

5 outdoor destinations to explore around the Twin Cities

There's something for everyone on this list of overlooked spots.

Child mental health counseling

As pandemic continues, so do efforts to improve child mental health access

Children's Minnesota has announced it will open its first inpatient mental health facility for under 18s.

Dalvin Cook

Mixed reports on Dalvin Cook's injury status

The Vikings running back could miss two games...or he could play Sunday.


Forever 21 says it was probably hit by a data breach

If you bought something there with a card, this might affect you.

What happened to the proposal to stop internet providers selling MN customers' data?

It got a lot of support – but right now isn't included in any bill. Here's what is going on.

2 major security flaws are affecting millions of phones, computers – here's what you should do

And you probably have a device that's at risk. Here's what you should do about it.

New proposal: Internet companies should pay you if they use or sell your data

It's your data that's valuable – should you get compensated for it?

The Equifax data breach: What do you do next?

143 million consumers had their information compromised.

This WPA2 KRACK attack means your WiFi is not secure – even though everyone thought it was

This newly reported flaw affects basically everybody – so here's what you should do.

The Uber data breach: What you need to know

Personal information of 57 million Uber users was accessed.

Al Franken tears into former Equifax CEO over the data breach

Franken questioned the former CEO over the massive data breach.