Paramount, Forever 21 Data Breaches Set Stage for Follow-on Attacks

A pair of breaches have hit media giant Paramount Global and fashion purveyor Forever 21, exposing personally identifiable information for thousands of people in the latter's case and setting them up for a raft of follow-on attacks.

In Paramount's case, the Hollywood bigwig disclosed in a data breach notification letter obtained by media that cyberattackers accessed PII for certain individuals for a month, between May and June of this year. The data included names, birthdates, Social Security numbers, driver's license numbers, passport numbers, and "information related to [the individual's] relationship with Paramount." 

It's unclear if the data pertains to website members, employees, customers, or other profiles — or how many are affected. The data breach notification letter, penned by an operations executive at Nickelodeon Animation Studio, did not elaborate.

Meanwhile, Forever 21 said in a data breach notification that hackers accessed PII belonging to 539,000 current and former employees, including names, Social Security numbers, birthdates, and bank account numbers. The letter also said that "information regarding your Forever21 health plan" was accessed, including "enrollment and premiums paid."

The retailer discovered the intrusion on August 4, but the unauthorized access took place between Jan. 5 and March 21.

Precursors for More Cyberattacks

While stolen PII, especially Social Security numbers, can be used to carry out identity theft and a host of other fraud, more personalized information, such as the data on the Forever 21 health plans and descriptions of victims' relationship to Paramount, could be used to mount convincing follow-on phishing attacks aimed at capturing even more lucrative data from victims. To boot, even the initial cache of stolen info could lead to account takeovers. Thus, impacted individuals should be on the lookout for a range of attack methods.

"This is a significant number of records that contain very sensitive information that have been potentially compromised," said Erich Kron, security awareness advocate at cybersecurity company KnowBe4, via email. "The data could easily be bundled and sold on the Dark Web and not used for months or even years. Information such as a Social Security number does not expire and can be useful for attackers for decades."

It's unclear what security holes led to the cyber intrusions and which systems were accessed in these cases, but the breaches are a good reminder to companies that hold PII to lock down obvious avenues of attack by patching vulnerabilities, ensuring cloud instances are not misconfigured for open access, and hardening authentication methods for databases and servers that house PII.

"Data breaches, while detrimental to the organization breached, have severe repercussions for companies who encounter fraudsters leveraging the stolen data," says Stuart Wells, CTO at Jumio. "This underscores the necessity for robust identity verification measures across all organizations — companies must establish every user's true identity to ensure that the user accessing an account is not a fraudster."