Fashion retailer Forever 21 has revealed that a data breach earlier this year has impacted over half a million individuals.

According to a data breach notification submitted to the attorney general of Maine, the company disclosed that it fell victim to a cyberattack spanning three months, commencing in early January 2023. During this breach, unauthorized intruders gained access to files within Forever 21's systems. Lorena Terroba Urruchua, a spokesperson for Forever 21, conveyed via FTI Consulting, a public relations firm, that the compromised data included personal information pertaining to both current and former employees.

The notification further detailed that Forever 21 has notified 539,207 individuals that the exposed data encompasses their names, dates of birth, bank account numbers, Social Security numbers, and information concerning employees' participation in the Forever21 health plan, encompassing enrollment details and premiums paid.

While the specifics of the incident were not disclosed beyond the breach of the company's systems, Forever 21 did assert that it has taken measures to ensure that the unauthorized third party no longer possesses access to the compromised data. However, the statement's vague wording raises questions about the nature of these measures and whether the company may have negotiated with the hacker, potentially involving payment in exchange for data deletion.

It is not uncommon for ransomware and extortion groups to threaten to publish stolen data if their demands for ransom are not met. Nonetheless, security experts have consistently cautioned against trusting threat actors' claims that they have deleted the data.

Forever 21's spokesperson, Terroba Urruchua, declined to provide further details or commentary on the matter.

Forever 21, with approximately 500 retail locations and an online store, has previously experienced a major data breach in 2017 when credit card numbers were stolen from its in-store point-of-sale systems.

Notably, the recent revelation of the data breach coincided with the announcement of a partnership between Forever 21 and retail giant Shein, which includes plans for both brands to expand their reach to each other's customer base. Additionally, Shein intends to acquire a significant stake in Forever 21's operator, Sparc Group. It remains uncertain whether news of the data breach will impact the partnership between the two companies.