Forever 21 employees have been affected by a significant data breach discovered in March 2023 that exposed sensitive personal information for over 539,000 workers. The breach, which occurred between January 5 and March 21, 2023, compromised employee names, Social Security numbers, dates of birth, bank account information, and health plan enrollment data. As of mid-2024, the case remains in active litigation with no settlement amount yet publicly announced, though employees impacted during the compromise period are eligible to participate in the class action lawsuit.
Additionally, Forever 21 customers who made purchases using payment cards between April and October 2017 may be eligible for compensation through a separate class action settlement that was previously resolved. That earlier settlement addressed a payment card data breach affecting hundreds of thousands of customers and included claims-based compensation for documented out-of-pocket losses and time spent. Understanding which breach may have affected you is essential before filing a claim.
Table of Contents
- What Are the Two Forever 21 Data Breaches and How Do They Differ?
- The 2023 Employee Data Breach—Current Status and What We Know
- The 2017 Payment Card Data Breach Settlement—Compensation and Claims
- How to Determine If You’re Affected and Understand Your Rights
- Risks and Limitations of the Ongoing 2023 Employee Litigation
- Comparing the Forever 21 Settlement to Other Major Data Breaches
- What’s Next for Affected Individuals and Future Protections
What Are the Two Forever 21 Data Breaches and How Do They Differ?
Forever 21 experienced two separate data breaches over different time periods, each affecting different groups of people. The first breach occurred in 2017 when payment card data from customers making in-store purchases was compromised between April 13 and October 24, 2017. This breach potentially affected hundreds of thousands of customers who swiped their credit or debit cards at Forever 21 registers during that six-month window. For comparison, the 2023 employee breach was significantly larger in scope, compromising data for 539,207 employees and exposing not just financial card information but also highly sensitive personal identifiers like Social Security numbers and bank account details. The fundamental difference between the two breaches lies in who was affected and what data was stolen. The 2017 customer breach was limited to payment card information—card numbers, expiration dates, and cardholder names—information that could potentially be used for fraudulent transactions.
The 2023 employee breach, by contrast, exposed identity theft risks for workers, including their complete names, Social Security numbers, dates of birth, banking information, and health insurance enrollment data. This combination of information in the hands of criminals presents a much higher identity theft risk than card data alone. The breaches also had different notification timelines. The 2017 customer breach was discovered and addressed years before litigation was resolved, resulting in a settled class action. The 2023 employee breach took several months to discover after the compromise period ended, with Forever 21 sending breach notification letters on August 29, 2023—roughly five months after the breach was discovered in March. This delay in notification meant affected employees had limited time to monitor their information for fraudulent activity during the critical window when criminals might attempt identity theft.
The 2023 Employee Data Breach—Current Status and What We Know
The Forever 21 employee data breach discovered in March 2023 represents one of the largest employee data exposures in recent retail history. The breach compromised information for 539,207 employees, making it a matter of significant concern for current and former workers. As of June 13, 2024, the litigation was still in active proceedings with Samantha Holbrook and co-counsel appointed as Interim Co-Lead Counsel, and no final settlement amount had been publicly announced. This means employees affected by the breach should expect the case to continue progressing through the court system before any settlement compensation becomes available.
One critical limitation of the ongoing 2023 litigation is the unpredictability of the outcome. Unlike the resolved 2017 settlement where compensation amounts were established and known, the 2023 employee breach case has not yet reached a settlement agreement. This means employees do not yet know what compensation they may receive or when funds might be distributed. The litigation timeline could extend months or even years further, and if Forever 21 successfully defends against portions of the claims, the compensation available might be lower than plaintiffs hope for. For employees who have already experienced identity theft or fraud as a result of the breach, waiting for a lengthy litigation process to conclude can be frustrating and leave them without immediate compensation for losses.
The 2017 Payment Card Data Breach Settlement—Compensation and Claims
While the 2023 employee breach case continues through the courts, Forever 21 customers affected by the 2017 payment card data breach already have a resolved settlement available. The settlement agreement in Hameed-Bolden v. Forever 21 awarded $500,000 in attorneys’ fees and costs to the legal team, and two class representatives received $2,500 awards each for serving as plaintiffs. However, the bulk of the settlement money goes to individual claimants who file verified claims documenting their losses. Under the 2017 settlement structure, eligible customers can claim compensation for out-of-pocket expenses directly resulting from the breach—such as credit monitoring fees, fraudulent transaction losses not reimbursed by their bank, or costs to fix their credit after identity theft. Additionally, customers can claim reimbursement for time spent addressing breach-related issues at a rate of up to $100 per hour.
For example, if a customer spent 10 hours on the phone with their credit card company disputing fraudulent charges, contacting credit bureaus, and monitoring their credit reports, they could potentially claim up to $1,000 in time compensation. The settlement requires documented proof of these expenses, such as receipts for credit monitoring services, bank statements showing fraudulent transactions, or detailed time logs with descriptions of activities performed. A key limitation of this settlement structure is that not all breach-related impacts qualify for compensation. Emotional distress, loss of sleep over security concerns, or frustration with the breach generally do not result in reimbursable claims. Only documented, quantifiable expenses and verifiable time spent directly addressing the breach count. This means customers who experienced minor impacts from the breach may find they have little to claim, while those who had extensive fraudulent activity or spent significant time cleaning up the mess can potentially recover more substantial amounts.
How to Determine If You’re Affected and Understand Your Rights
Determining whether you are affected by either Forever 21 data breach requires understanding the specific timeframes and data compromised in each incident. For the 2017 customer breach, you are potentially affected if you made any in-store purchases at Forever 21 using a credit card, debit card, or other payment card between April 13 and October 24, 2017. If you made online purchases during that period, those were not compromised by this particular breach—only in-store transactions using payment cards were affected. For the 2023 employee breach, you are affected if you were a Forever 21 employee whose information was in the company’s database at any point between January 5 and March 21, 2023, when the breach occurred.
Understanding which breach may have affected you matters because it determines what rights and compensation options are available to you. If you were only a customer, you may only be eligible for the 2017 settlement—and only if you made in-store card purchases during that specific timeframe. If you were an employee during the 2023 breach period, you would be part of the employee class action still in litigation. Some individuals may be affected by both breaches if they were both customers in 2017 and employees in 2023, in which case they could potentially have claims under both settlements. This distinction is crucial because pursuing the wrong claim or missing a deadline could mean forfeiting compensation you are legally entitled to.
Risks and Limitations of the Ongoing 2023 Employee Litigation
While affected Forever 21 employees have legal rights to pursue compensation for the 2023 data breach, the ongoing litigation presents several risks and uncertainties. The primary risk is the possibility that the settlement negotiations could stall or that the court could rule partially in Forever 21’s favor, reducing the compensation pool available to employees. Data breach litigation is complex, and companies often argue that they implemented reasonable security measures or that the harm to employees is minimal because no widespread identity theft has been detected. If Forever 21 successfully convinces the court that certain employees were not significantly harmed, those individuals might receive reduced compensation or nothing at all, even though their data was compromised. Another significant limitation is the statute of limitations on filing claims. While the 2023 breach is still in active litigation, there will eventually be a deadline for submitting claims once a settlement is reached.
Employees who miss this deadline—whether because they are unaware of the settlement, the notification is unclear, or they simply forget—will lose the opportunity to claim compensation. Unlike some settlements that use automatic distribution based on class membership, data breach settlements often require individual claims with documented losses. Employees who fail to submit a claim will not receive compensation, even if they were definitively affected by the breach. A final warning: employees should be cautious about relying solely on the class action settlement to address identity theft losses. If your data is already being misused—if fraudulent accounts have been opened in your name or your credit has been damaged—you may need to take immediate action rather than waiting for settlement compensation. Filing disputes with credit bureaus, placing fraud alerts on your credit, and monitoring your credit reports are steps you should take immediately, regardless of whether the settlement process is ongoing. The settlement process can take years, but identity thieves can open accounts and damage your credit in weeks.
Comparing the Forever 21 Settlement to Other Major Data Breaches
The Forever 21 breaches are not unique in the retail and employment context. Other major retailers have experienced similar data breaches affecting millions of customers. For comparison, the Target data breach of 2013 affected 40 million credit and debit card accounts and resulted in a settlement exceeding $18 million. The Equifax breach of 2017 impacted 147 million people and resulted in a $700 million settlement, though the per-person compensation was relatively small.
Forever 21’s 2023 breach affecting 539,207 employees is significant but smaller in absolute numbers than some of the largest breaches on record. However, the type of data compromised in the Forever 21 employee breach—including Social Security numbers and banking information—puts it in a higher-risk category than payment card-only breaches. While payment card breaches primarily expose financial fraud risk, employee data breaches with SSNs and banking details create long-term identity theft risks that can persist for years. This is why settlements for employee data breaches often result in substantial compensation when they finally resolve, and it’s why the ongoing Forever 21 employee litigation may result in significant per-person payouts once settlement terms are announced.
What’s Next for Affected Individuals and Future Protections
For customers affected by the 2017 Forever 21 payment card breach, the next step is to file a claim if you have documented losses. The settlement money is available now, and delays in filing your claim only mean delaying your potential compensation. For employees affected by the 2023 breach, the path forward is less clear because the litigation is still ongoing.
As the case progresses toward settlement, watch for official notifications from the court or settlement administrator with claims deadline information, and be prepared to document any losses you have experienced as a result of the breach. Looking forward, both Forever 21 customers and employees should consider implementing personal data protection measures regardless of whether they receive settlement compensation. Monitoring your credit reports through free annual reports at AnnualCreditReport.com, signing up for credit monitoring services, and placing fraud alerts with credit bureaus are proactive steps that can minimize damage from data breaches. While the class action settlement process compensates for documented losses, prevention and early detection remain the most effective strategies for protecting yourself in an era when major data breaches have become routine.