IMGCAP(1)]
Women's clothing-store chain Forever 21 Inc. Friday issued a statement to customers and the media acknowledging it was one of the 12 merchants whose payment card networks were breached by alleged hackers and card data thieves indicted in the United States last month (CardLine, 8/5). The U.S. Secret Service contacted the FOREVER 21 chain the morning of Aug. 5, the same day the U.S. Department of Justice announced the indictments of 11 men for crimes related to data breaches and card fraud affecting the 12 retailers, the Los Angeles-based company says in the statement. "We subsequently received from the Secret Service a disk of potentially compromised file data," Forever 21 says. "We promptly retained forensic consultants to help us examine the file data and our systems." Forever 21 says the investigation leads them to believe hackers gained access to transaction data involving approximately 98,930 credit and debit card numbers, about 20,500 of which stem from transactions at its store in Fresno, Calif. Forever 21 lists nine dates between March 2004 and August 2007 when thieves may have hacked into store transactions. Forever 21 does not say how thieves may have breached its network but says in some instances it had stored expiration dates "and other card data" but did not store customer names and addresses. Forever 21 says it received validation of PCI compliance in 2007. The chain did not respond to requests for comment by CardLine's deadline. A Secret Service spokesperson declined to comment, saying the agency does not discuss ongoing investigations. But Bruce Cundiff, director of payments research and consulting for Javelin Strategy & Research Inc., tells CardLine he believes law enforcement justifiably delayed informing Forever 21 its name had surfaced in its investigation of the data-theft ring. "I don't see it as the job of the Department of Justice or Secret Service to inform retailers they're targets. Their job is to build a case against individuals," Cundiff says. "Why didn't Forever 21 discover this? They're saying they're complying with all the PCI standards. ... I just see them trying to play the hapless victim."
