Forever 21 responds to involvement in "mega-breach"
Technorati Tag: Security Breach
Date Reported:
9/12/08
Organization:
Forever 21, Inc.
Contractor/Consultant/Branch:
None
Location:
Fresno, California
Victims:
Customers
Number Affected:
"approximately 98,930"
Types of Data:
"credit and debit card numbers and in some instances expiration dates and other card data"
Breach Description:
"Nearly 99,000 payment cards used by customers at several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004."
Reference URL:
Forever 21 Public Notice
The Wall Street Journal (marketwatch.com)
Network World
Report Credit:
Forever 21, Inc. (actually the U.S. Secret Service)
Response:
From the online sources cited above:
Law enforcement recently informed us that our systems may have been illegally accessed to obtain customer payment card information.
[Evan] This would be a shock if to get a call from the U.S. Secret Service about a breach of my organization's systems, that I didn't even have a clue about.
We have determined that this incident may have affected a subset of our customers who shopped at our stores on the following nine dates: March 25, 2004; March 26, 2004; June 23, 2004; July 2, 2004; July 3, 2004; August 4, 2007; August 5, 2007; August 13, 2007; and August 14, 2007.
[Evan] One breach affecting customers on these nine dates or nine separate breaches? Do you remember what you were doing on March 26th, 2004? I can't remember where I was last Thursday!
In addition, the incident may have affected customers who shopped at our Fresno, California store located at 567 E. Shaw Ave. between November 26, 2003 and October 24, 2005.
[Evan] This incident or series of incidents spans from November 26, 2003 through August 14, 2007!
On August 5, 2008, the U.S. Department of Justice in Boston filed indictments against 3 individuals alleged to have committed crimes involving credit card fraud against 12 retailers.
[Evan] This was/is big news. Computer World's coverage is here.
That morning, Forever 21 was contacted by the U.S. Secret Service and was advised that our company was identified in the indictment as one of the retail victims.
We subsequently received from the Secret Service a disk of potentially compromised file data.
[Evan] A disk (or copy) of the compromised data was sent to Forever 21. Do you think that the Secret Service encrypted the information? I bet they did.
We promptly retained forensic consultants to help us examine the file data and our systems.
Based on that investigation, we believe that the unauthorized persons accessed older credit and debit card transaction data for approximately 98,930 credit and debit card numbers.
Approximately 20,500 of these numbers were obtained from the Fresno store transaction data.
The data included credit and debit card numbers and in some instances expiration dates and other card data, but did not include customer name and address.
The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company's systems were broken into nine separate times.
More than half of the affected payment card numbers are no longer active or have expired expiration dates.
We have been working with our acquiring bank and payment card networks to resolve the situation.
Your card issuing institution may send you a written notice mailed to the address related to the account number about this incident.
We have also contacted the three principal credit reporting bureaus, Equifax, Experian and TransUnion, to advise them of the situation.
Since 2007 when the Payment Card Industry Data Security Standards (the "PCI Standards") were imposed, our systems have been certified to be in compliance with the PCI Standards, including the data encryption standards.
[Evan] Many of the dates listed in this breach are prior to 2007. PCI DSS has been around since at least January 2005, the current version (1.1) was released in September, 2006, and the newest version (1.2) is due out in the next month or so. I take a couple of issues with this statement. I'll rant a little in the Commentary section below.
After we were informed of this incident, we adopted additional proactive security measures and continue to regularly monitor our systems for intrusions.
[Evan] Proactive? Seems reactive, but I guess it depends on the context.
If you shopped at our stores on the nine dates above or at our Fresno store during the time period indicated, we are alerting you so that you may take steps to protect yourself from payment card fraud.
Should you have any questions about this incident or need additional information, we have designated a customer service number for you to call, 1-.
The recording invited callers to leave their names and phone numbers with the promise that someone from the company would get back to them.
Commentary:
OK, my main beef is in regards to this statement "Since 2007 when the Payment Card Industry Data Security Standards (the "PCI Standards") were imposed, our systems have been certified to be in compliance with the PCI Standards, including the data encryption standards."
PCI DSS was available well before 2007, although they may have not been "imposed" until then.
The word that catches me is "imposed". Organizations creating, collecting, storing and transferring sensitive information should be taking steps to provide adequate protection irregardless of whether or not a standard (or regulation) is "imposed" upon them. In my opinion, waiting for a regulation or standard to be "imposed" is short-sighted (non-strategic) and a sign of poor management. Honestly, if organizations did the right thing(s), and managed information security well there would not be a need for regulatory compliance.
I subscribe to creating information security programs that are aligned with and support business objectives. Managing information security to only be compliant with regulations misses many of the risks and nuances specific to a particular business, and is ultimately not cost-effective. Obviously organizations must maintain compliance, but information security is NOT a destination (compliant) and should not be viewed at as an imposition (cost-center).
There, I'm done. Not too painful I hope.
Past Breaches:
Unknown
Date Reported:9/12/08
Organization:
Forever 21, Inc.
Contractor/Consultant/Branch:
None
Location:
Fresno, California
Victims:
Customers
Number Affected:
"approximately 98,930"
Types of Data:
"credit and debit card numbers and in some instances expiration dates and other card data"
Breach Description:
"Nearly 99,000 payment cards used by customers at several Forever 21 Inc. retail stores may have been compromised in a series of data thefts dating back to August 2004."
Reference URL:
Forever 21 Public Notice
The Wall Street Journal (marketwatch.com)
Network World
Report Credit:
Forever 21, Inc. (actually the U.S. Secret Service)
Response:
From the online sources cited above:
Law enforcement recently informed us that our systems may have been illegally accessed to obtain customer payment card information.
[Evan] This would be a shock if to get a call from the U.S. Secret Service about a breach of my organization's systems, that I didn't even have a clue about.
We have determined that this incident may have affected a subset of our customers who shopped at our stores on the following nine dates: March 25, 2004; March 26, 2004; June 23, 2004; July 2, 2004; July 3, 2004; August 4, 2007; August 5, 2007; August 13, 2007; and August 14, 2007.
[Evan] One breach affecting customers on these nine dates or nine separate breaches? Do you remember what you were doing on March 26th, 2004? I can't remember where I was last Thursday!
In addition, the incident may have affected customers who shopped at our Fresno, California store located at 567 E. Shaw Ave. between November 26, 2003 and October 24, 2005.
[Evan] This incident or series of incidents spans from November 26, 2003 through August 14, 2007!
On August 5, 2008, the U.S. Department of Justice in Boston filed indictments against 3 individuals alleged to have committed crimes involving credit card fraud against 12 retailers.
[Evan] This was/is big news. Computer World's coverage is here.
That morning, Forever 21 was contacted by the U.S. Secret Service and was advised that our company was identified in the indictment as one of the retail victims.
We subsequently received from the Secret Service a disk of potentially compromised file data.
[Evan] A disk (or copy) of the compromised data was sent to Forever 21. Do you think that the Secret Service encrypted the information? I bet they did.
We promptly retained forensic consultants to help us examine the file data and our systems.
Based on that investigation, we believe that the unauthorized persons accessed older credit and debit card transaction data for approximately 98,930 credit and debit card numbers.
Approximately 20,500 of these numbers were obtained from the Fresno store transaction data.
The data included credit and debit card numbers and in some instances expiration dates and other card data, but did not include customer name and address.
The company offered no details on what other data might have been compromised, and it was not clear whether all nine of the data theft incidents resulted from a single intrusion or whether the company's systems were broken into nine separate times.
More than half of the affected payment card numbers are no longer active or have expired expiration dates.
We have been working with our acquiring bank and payment card networks to resolve the situation.
Your card issuing institution may send you a written notice mailed to the address related to the account number about this incident.
We have also contacted the three principal credit reporting bureaus, Equifax, Experian and TransUnion, to advise them of the situation.
Since 2007 when the Payment Card Industry Data Security Standards (the "PCI Standards") were imposed, our systems have been certified to be in compliance with the PCI Standards, including the data encryption standards.
[Evan] Many of the dates listed in this breach are prior to 2007. PCI DSS has been around since at least January 2005, the current version (1.1) was released in September, 2006, and the newest version (1.2) is due out in the next month or so. I take a couple of issues with this statement. I'll rant a little in the Commentary section below.
After we were informed of this incident, we adopted additional proactive security measures and continue to regularly monitor our systems for intrusions.
[Evan] Proactive? Seems reactive, but I guess it depends on the context.
If you shopped at our stores on the nine dates above or at our Fresno store during the time period indicated, we are alerting you so that you may take steps to protect yourself from payment card fraud.
Should you have any questions about this incident or need additional information, we have designated a customer service number for you to call, 1-.
The recording invited callers to leave their names and phone numbers with the promise that someone from the company would get back to them.
Commentary:
OK, my main beef is in regards to this statement "Since 2007 when the Payment Card Industry Data Security Standards (the "PCI Standards") were imposed, our systems have been certified to be in compliance with the PCI Standards, including the data encryption standards."
PCI DSS was available well before 2007, although they may have not been "imposed" until then.
The word that catches me is "imposed". Organizations creating, collecting, storing and transferring sensitive information should be taking steps to provide adequate protection irregardless of whether or not a standard (or regulation) is "imposed" upon them. In my opinion, waiting for a regulation or standard to be "imposed" is short-sighted (non-strategic) and a sign of poor management. Honestly, if organizations did the right thing(s), and managed information security well there would not be a need for regulatory compliance.
I subscribe to creating information security programs that are aligned with and support business objectives. Managing information security to only be compliant with regulations misses many of the risks and nuances specific to a particular business, and is ultimately not cost-effective. Obviously organizations must maintain compliance, but information security is NOT a destination (compliant) and should not be viewed at as an imposition (cost-center).
There, I'm done. Not too painful I hope.
Past Breaches:
Unknown
Posts Atom 1.0
OK, it's bad enough that Forever21 did not prevent or even discover these incidents on their own, but what I want to know is when did our government first know about it and why didn't they notify Forever21 sooner if they weren't going to notify the individuals themselves?
Reply to this
Dissent,
Excellent questions!
The simplest answer I can come up with is poor management.
Reply to this