Forever 21 filed for bankruptcy in 2019, but the fashion retailer’s troubles expanded dramatically in 2023 when a massive data breach exposed sensitive personal information for approximately 539,207 to 540,000 current and former employees. Between January 5, 2023 and March 21, 2023, hackers gained unauthorized access to an internal system containing names, Social Security numbers, dates of birth, bank account numbers, and health benefit enrollment details. The breach wasn’t discovered until March 20, 2023—and the company didn’t notify affected employees until August 29, 2023, a delay of more than five months that prompted class action litigation.
In September 2023, employees filed a class action lawsuit (IN RE F21 OPCO LLC DATA BREACH LITIGATION, No. 2:2023-cv-07390) in the United States District Court for the Central District of California. The case has resulted in a settlement offering affected employees access to credit monitoring services, reimbursement for out-of-pocket expenses related to the breach, and compensation for extraordinary losses. This guide explains who qualifies for the settlement, what benefits are available, and how to file a claim.
Table of Contents
- What Data Was Exposed in the Forever 21 Breach?
- The Timeline of the Forever 21 Data Breach and the Notification Delay
- The Class Action Lawsuit Details and Current Status
- What Benefits Are Available Under the Forever 21 Settlement?
- Eligibility Requirements and Claim Filing Process
- Protection Steps After Notification of a Data Breach
- Data Breach Litigation Trends and Long-Term Implications
- Conclusion
What Data Was Exposed in the Forever 21 Breach?
The Forever 21 data breach exposed some of the most sensitive personal information a company can hold about its employees. Hackers accessed names, Social Security numbers, dates of birth, bank account numbers, and health benefit plan enrollment and premium information. This combination of data creates significant identity theft risk—criminals can use SSNs and dates of birth to open fraudulent accounts, apply for loans, or file false tax returns. The exposure of bank account numbers is particularly dangerous, as it enables direct access to financial accounts without needing to create new ones. The health benefit information exposed is equally concerning.
Health records contain detailed personal information that can be sold on the dark web or used to commit medical fraud. Unlike a typical retail data breach where credit card information is stolen, the Forever 21 breach targeted employee payroll and benefits systems—the core infrastructure that employers use to manage compensation and insurance. This means the breach wasn’t just a security failure but a fundamental violation of the trust employees place in their employer to safeguard their most sensitive financial and health data. The scope of this exposure is comparable to major healthcare breaches that have exposed millions of patient records. What distinguishes the Forever 21 breach is that the stolen data came directly from the company’s own internal systems rather than from a third-party vendor, suggesting the breach resulted from inadequate internal security controls.
The Timeline of the Forever 21 Data Breach and the Notification Delay
Forever 21’s breach window extended from January 5, 2023 through March 21, 2023—a span of more than 2.5 months during which hackers had access to employee personal data. The company discovered the unauthorized access on March 20, 2023, just one day before the breach was finally closed. However, Forever 21 did not notify affected employees of the compromise until August 29, 2023—more than five months after discovery. This significant delay between discovery and notification is a major point of contention in the lawsuit and raises serious questions about the company’s response procedures. The delay matters because it extended the window of exposure for affected employees.
During those five months, stolen data could have been used for identity theft, sold on the dark web, or used to commit fraud. Under the laws of most states, companies are required to notify consumers of data breaches “without unreasonable delay,” typically interpreted as within 30 to 60 days. Forever 21’s nearly six-month delay far exceeded these standards and gave employees virtually no opportunity to take protective measures until the breach was already weeks old. This timeline also highlights a critical limitation in employee data breach protections: even when a breach is discovered, there’s no federal law that strictly enforces how quickly notification must occur. While state laws provide some protections, penalties for delays are often minimal compared to the harm caused. By the time Forever 21 notified its employees, the window for damage prevention had largely closed.
The Class Action Lawsuit Details and Current Status
The case was filed on September 7, 2023, just days after affected employees were notified of the breach. Samantha E. Holbrook of Shub & Johns LLC was appointed as interim co-lead counsel representing the class. The lawsuit was filed in the United States District Court for the Central District of California, which oversees data breach litigation affecting thousands of residents in one of the most populous states in the country.
Class action certification means that thousands of affected employees can pursue their claims together rather than individually filing separate lawsuits. This dramatically increases the legal pressure on the defendant and makes settlement negotiations more likely than if each employee had to hire their own attorney. The central question in the litigation was whether Forever 21’s security practices were adequate, whether the delay in notification was unreasonable, and what compensation employees deserved for the exposure and risk created by the breach. The court system in the Central District of California has substantial experience with data breach class actions, having overseen several major cases involving healthcare providers, financial institutions, and retailers. This jurisdiction has generally held companies accountable for significant notification delays and inadequate security measures, setting a precedent that encouraged Forever 21 to pursue a settlement rather than risk a trial.
What Benefits Are Available Under the Forever 21 Settlement?
The settlement provides three primary categories of relief to affected employees. First, all eligible class members receive one year of complimentary credit monitoring services through IdentityWorks, a service that monitors credit reports and alerts users to suspicious account activity. This is the most immediately valuable benefit because it provides ongoing protection against identity theft during the period when stolen data is most likely to be used fraudulently. Second, the settlement reimburses employees for documented expenses related to the breach.
This includes compensation for time spent dealing with the breach—up to four hours at $25 per hour (totaling up to $100)—as well as reimbursement for credit monitoring or identity protection services that employees purchased with their own money, up to $250. Third, class members who suffered extraordinary losses directly traceable to the breach can seek individual reimbursement up to $10,000. Extraordinary losses might include fraudulent charges that appeared on accounts after the breach, credit damage resulting in higher interest rates on loans, or medical fraud complications. A practical example of how this works: An employee who spent eight hours notifying creditors, freezing credit, and monitoring accounts could be reimbursed for four hours ($100), submit receipts for an $180 credit monitoring service and receive reimbursement, and if they were the victim of identity theft resulting in $5,000 in fraudulent charges that they ultimately had to dispute and remove, could seek up to $5,000 in extraordinary loss reimbursement. The settlement structure recognizes that different employees experience different levels of harm from the same breach.
Eligibility Requirements and Claim Filing Process
To qualify for the settlement, an individual must have been a current or former employee of Forever 21 who was affected by the data breach—meaning their personal information was compromised during the January 5 to March 21, 2023 breach window. This includes both full-time and part-time employees, as well as former employees who worked for the company during the relevant period. The settlement notice sent by Forever 21 included a claim form and instructions for submitting your claim. The claim filing process requires providing documentation of your employment with Forever 21 and, if seeking reimbursement for out-of-pocket expenses, receipts or statements showing what you spent. For time spent addressing the breach, you’ll need to document your efforts—though the settlement typically allows claimants to self-report reasonable hours without requiring detailed time records.
For extraordinary loss reimbursement claims, you’ll need documentation showing the loss was directly caused by the breach, such as fraud alerts from your credit card company or identity theft reports. An important limitation to understand: the settlement has a claims deadline, typically 180 days from the settlement notice. If you miss this deadline, you lose the right to claim benefits, even if you were clearly affected by the breach. This is not an entitlement program where benefits are automatically paid; it requires affirmative action by each employee to file a claim. Many data breach settlements see claim rates below 50%, meaning many eligible individuals leave money on the table simply by not submitting the required paperwork.
Protection Steps After Notification of a Data Breach
If you received notification that you were affected by the Forever 21 breach, you should take several immediate actions regardless of whether you plan to file a settlement claim. First, enable credit monitoring through the IdentityWorks service provided by the settlement. This monitors your credit reports with all three major bureaus (Equifax, Experian, and TransUnion) and alerts you if anyone attempts to open new accounts in your name or make large purchases. Second, place a fraud alert on your credit file by contacting any one of the three credit bureaus. A fraud alert notifies lenders that you may be a victim of identity theft and requires them to take extra steps to verify your identity before extending credit.
This costs nothing and is typically valid for one year. For greater protection, you can place a credit freeze, which prevents creditors from accessing your credit file entirely (though this makes it harder for you to apply for legitimate credit). Third, monitor your bank and credit card accounts for unauthorized transactions, and regularly review your credit reports for accounts you don’t recognize. Many people assume that identity theft will be obvious, but in reality, it often appears as small test charges to see if a card is active before larger fraud is committed. Fourth, consider creating a separate email address and monitoring it for fraudulent account applications or password reset requests. This is a simple but often overlooked step that catches many identity theft attempts.
Data Breach Litigation Trends and Long-Term Implications
The Forever 21 case is one of hundreds of employee data breach lawsuits filed in recent years. The trend reflects both increasing frequency of breaches and growing willingness among employees to pursue legal action. Tech companies, healthcare providers, and retailers have all faced major breaches affecting employee records, and attorneys have become increasingly skilled at quantifying damages and negotiating settlements.
Looking forward, companies are under growing pressure to improve security practices and notification procedures. State legislatures continue to strengthen data breach notification laws, and federal legislators have discussed creating a uniform standard that would require notification within 30 days. The Forever 21 case, with its five-month notification delay, illustrates why such standards are needed. As settlements become more generous—reflecting the real harm caused by breaches—companies have stronger financial incentives to invest in preventing breaches in the first place, suggesting that data security practices may improve even without new legislation.
Conclusion
The Forever 21 employee data breach affected over 500,000 workers and exposed some of the most sensitive personal information a company can access. The company’s five-month delay in notifying affected employees prompted class action litigation that resulted in a settlement offering credit monitoring, expense reimbursement, and compensation for extraordinary losses. If you were a current or former Forever 21 employee during the breach period, you likely qualify for benefits and should file your claim before the deadline.
The key takeaway is that data breach settlements require you to take action—benefits are not automatically paid. Gather your claim documentation, submit your claim on time, and enroll in the credit monitoring service. Even if you don’t have documented out-of-pocket expenses, the free credit monitoring service alone provides meaningful protection against identity theft for at least a year following the breach. For detailed claim filing instructions and settlement information, contact the claims administrator listed on your notification letter.