Forever 21 Breach Notification Leaves Unanswered Questions539,207 Employees Warned This Week About 8-Week Breach Discovered in March
Cybersecurity doublespeak is never a good sign, especially when it comes in a stamped letter with your name on it.
Bonus worries for when a company wants to tell you how it "takes the privacy and security of personal information very seriously."
"Great," you might think. "So do I."
Except the letter inevitably goes on to say something that implies the opposite. Here's a hint: "The unauthorized third party obtained select files from certain Forever 21 systems."
Half a million lucky individuals will be the recipients of just such a letter, being sent this week by Forever 21. Founded in 1984, the apparel retailer is based in Los Angeles and owned by Sparc Group, which as of this week is now one-third owned by Chinese former rival fast-fashion retailer Shein. Forever 21 counts 540 stores globally, with most in the United States.
Here are the facts of its latest breach:
- Victims: Forever 21 on Tuesday began notifying 539,207 current and former employees that via an "external system breach," an attacker stole their personal information. How the breach was perpetrated isn't stated, nor is the age of stolen data.
- Detection: The retailer said it had spotted the security breach on March 20 and brought in external cybersecurity experts to investigate. Their probe ended on Aug. 4, which is a relatively long time for a breach investigation to last, especially when personal information has been stolen.
- Findings: Investigators found that between Jan. 5 and March 21, attackers had accessed multiple systems and stolen multiple files. They subsequently reviewed all of the stolen files "to identify individuals whose personal information may be contained in the files."
- Stolen: Exfiltrated information included a victim's name, Social Security number, birthdate, bank account number - but no PIN codes - as well as information regarding their health plan, including the plan in which they're enrolled and the premiums paid.
- Risk: Victims now face an elevated risk from fraudsters. The company is offering victims 12 months of prepaid identity theft monitoring.
This isn't the first data breach Forever 21 has suffered. In 2018, the "cheap chic" retailer warned customers it had suffered a seven-month attack involving point-of-sale malware, which was exacerbated by it failing to have enabled encryption on multiple POS terminals.
That 'No Evidence' Hedge
Forever 21's most recent breach notification, as is too often typical, includes a heavy dose of marketing spin in an apparent attempt to try and minimize culpability.
"We have no evidence to suggest your information has been misused for purposes of fraud or identity theft as a result of this incident - and no reason to believe that it will be," Forever 21's notification reads.
This oft-seen breach bromide is a logical fallacy. To quote famous astronomer Carl Sagan, "Absence of evidence is not evidence of absence."
The notification doublespeak continues: "Forever 21 has taken steps to help assure that the unauthorized third party no longer has access to the data."
It's great that the attacker no longer has access to the data, right? Really, though, what does this vagueness mean? It might refer to the retailer having taken some basic steps it should have taken earlier, such as using multifactor authentication to secure key systems, thus making the data inaccessible.
Instead, this sounds curiously close to Forever 21 admitting that it paid its attacker in return for a promise to delete stolen data, as the privacy advocate known as Dissent has observed.
Forever 21 didn't immediately respond to a request for comment.
What 'Serious' Looks Like
Security experts urge victims to never pay a ransom. If they must - perhaps because it's the only way to restore needed data and keep a business running - they should only pay for things that are tangible, such as a decryptor for potentially restoring data.
Paying for anything else - to remove your name from a data leak site or for an attacker to pinkie promise they'll delete all copies of stolen - is nonsensical. Just as it is when victims claim they've taken steps to ensure the attacker no longer has a copy of the data. It might sound good to marketers, but it has no demonstrable value. No one has ever proven an attacker really did delete stolen data (see: Ransom Realpolitik: Paying for Data Deletion Is for Suckers).
Ideally, organizations should also share clear details about how they were breached, not least to help organizations next in line for attack. Alas, U.S. data breach notification rules don't require such transparency, and in too many breach notifications today it remains sorely lacking - even from victims that say they take privacy and security seriously.