Forever 21 Aftershocks? Citibank Cancels Cards Due To Retailer Security Breach

We’ve received queries from readers telling us that their Citibank cards have been replaced, and asking whether we’ve heard about any new security breach. Other than Forever 21 we haven’t, so we’re wondering whether they’re responsible for the stories below.

Jeremy writes:

Just got a replacement card from Citi due to possible “compromise of information” but when I asked customer service who the merchant was who may have been compromised, she said she did not have that information, but that it came straight from Visa and Mastercard and that it happened in the last 6-8 months.

Trevor writes:

I logged onto my CitiCard professional account today and discovered an “important security messsage” that my account may be at risk due to a problem with a merchant’s database. The CSR said someone had “hacked in” to a database. His manager said she didn’t know which merchant was involved, and invoked the TJ Maxx case as an example. When I asked if this was of comparable size, she said it was, and the CitiBank was issuing new cards to people, and that mine should be in the mail already.

Update 09/19/08: We received another report this morning:

Just yesterday, I received a replacement card.

Logging onto their site, I got a message saying my card had been compromised. I decided to activate the new card, but pressed 5 for a consumer rep. This was not the ordinary rep with noise in the background. She had no “sell-up” scripts nor an ebullient demeanor.

She said my card had to be replaced due to a database compromise.


Edit Your Comment

  1. B says:

    Maybe it wasn’t a retailer. Maybe Citi’s on security was compromised. After all, if a retailer was comprimised, we’d see more than just Citi reacting to the data breech. Baseless speculation is fun.

  2. GymLeaderPhil says:

    Any correlation from where these customers are based from or is this on a national level (Wal-Mart, Online Retailers)?

  3. visualbowler says:

    wasn’t there a story going around about a breech at forever 21 where they had credit card numbers stolen?

  4. BoraBora says:

    Hmmm. 2 weeks ago my card was inexplicably declined. I figured it was because I hardly ever use it and have no balance on it. I wound up using another card just to avoid the hassle. Then a few days later I made a purchase with my citi card and everything was fine. 2 days ago I got a letter in the mail from the fraud department asking me to call them. When I called them they said they were concerned about the card attempt (that was declined) and the following purchase. This didn’t make any sense (or adequate fraud protection) that they would decline the card, only to let me use it shortly afterwards. When I asked them about this, they then claimed that they regularly decline cards randomly as a precaution. Now I’m wondering if the CSR was lying to me and they were trying to put out a fire without telling anyone the real story.

    • Grrrrrrr, now with two buns made of bacon. says:

      Well, that’s odd timing. I received a phone message from Citibank on my answering machine asking me to call them back. I figured it was just a sales gimmick.

      @BoraBora: Randomly denying cards as a precaution? Wow, that sounds like an incredibly stupid idea and a load of BS. I know if there’s anything I’d want, it would be to have my credit card “randomly declined” while I’m in a strange city trying to rent a car. Yeah, I’d just *love* that.

  5. MaelstromRider says:

    My Shell cards just got reissued with no explanation as to why. They’re also Citi. I haven’t used my Shell card in a year, so my guess it’s a direct hit on Citi.

  6. 3drage says:

    I have a Citi card and wasn’t given a reissue. So I’d imagine it was a retailer and not the company itself…unless a hacker only had a portion of the numbers.

  7. rlee says:

    My Citi MC got replaced a while back due to “possible breach”, which I guessed was TJ Maxx (where I’ve not shopped, but I suppose Citi doesn’t check that). I’ve not heard anything lately; we shall see..

  8. shorty63136 says:

    I called about 3 weeks ago to ask a question and the guy that answered immediately asked if I was calling from a store. I told him no and he told me that there was fraudulent activity on my card and that he closed the account. Put me on hold for a long time and went through things quicker than what I was used to when dealing with Citibank.

    I got off the phone w/ him and then called right back and spoke to someone who acted like they were happy to be at work and she explained that he did close my account, etc. and apologized after I told her that was the worst customer service I’d ever experienced with them (it was – and I’ve been w/ them since ’02).

    They re-issued a card and sent me an affidavit to sign confirming that I knew nothing about that random charge.

    Not sure if it’s related, but it happened very abruptly.

  9. Daemonstar says:

    I received a letter from Discover dated September 3 that said:

    “We’ve been advised by a retailer that your Discover Card account information may have been compromised. This incident did not involve any Discover Card systems and there is no evidence that an unauthorized individual is using this account number. We’re confident that it is not necessary to provide you with a new account number at this time, and you can continue to use your existing Discover Card.”

    It also said:

    “Although we cannot disclose information regarding the compromise due to the ongoing investigation, please be assured that this incident cannot cause identity theft.”

  10. formatc says:

    I have a Visa debit card from my local bank that was replaced a few weeks ago. They gave a similar speech about my card possibly being involved in a breach. They weren’t at liberty to discuss who or why, which I found rather offensive since I usually like to know who’s mishandling my personal information.

    No errant charges, at least. The only thing worse than a proactive, silent replacement is the explanation of how seriously they take the unauthorized charges on accounts they knew were compromised.

  11. newcastle says:

    I’ve already had my Citibank card replaced because of TJ Maxx. Last week got I got a letter from Countrywide telling me my data had been compromised. Today I get a letter from BNY Mellon telling me my data has been compromised. WTF?!?

  12. Ciao_Bambina says:

    In mid-July, my credit union sent me a letter notifying me that due to a “hacking incident at a merchant/processor” my Visa was on a list of compromised card numbers and that they would be sending me a new card.

    Since I do a lot of business on line, I called my C.U. to find out if it was a company that I shouldn’t work with anymore. And, as others have found, they wouldn’t/couldn’t tell me anything. Frustrating.

    They must not have been too worried about the “incident” though – the letter said that it would take about 10 days for the new card to reach me, so I could keep on using my old card, but if I noticed anything fishy going on, to let them know. Okey dokey…

  13. undeadsac says:

    I work for Citi, I’ve been with the bank for about 7 years now. Anyhow, the way that the fraud team actually operates is by use of an odd computer algorythm that studies card usage statistics and seemingly places brief holds against cards at times to determine if the transaction is fraudulent or if it fits with the normal behavior of the card. But, it should be taken with a grain of salt, since I dont work in the Fraud dept or FEW (fraud early warning) as it is called internally. there have been a recent rash of people spoofing card numbers, whereby some genious realized that the prefix on all the cards begin with the same series of numbers and is using a computer, I assume, to generate the last digits and systematically charging the devised card #s against fake businesses or charitys and is then pocketing the funds. This applies to both credit as well as debit cards so far. I dont always like the system, but when it works and you are not charged for the 15000.00 fraud transaction, you may find some value in it.

  14. onetime001 says:

    I got the same “important security message” when I logged in online.

    When I asked the CSR how many people were affected, he told me “millions.”

    I checked consumerist for a recent story and was quite surprised not to see one, but I guess it’s coming.

    He did not have info on which merchant, or on the exact date of the breach, but it sounded like it was in the last few weeks.

  15. FLConsumer says:

    Standard policy for the banks to not rat out the merchant/processor involved. They do this both for security and liability reasons.

    I wonder who it might have been. Haven’t received any letters here yet. No Citi cards in my portfolio ‘though.

  16. arl84 says:

    I’m pretty sure it was forever 21. I work at a bank and there was an interoffice memo about it. There may have been multiple stores though.


  17. ReadLine says:

    About ten days ago I received a call from Citi about unauthorized charges to my card. It was almost $5000 to a foreign airline. But it sounds like these other issues are unrelated, since no one else is mentioning specific activity.

  18. Bryan Price says:

    My wife and I had new cards from our credit union when we got back from South Africa. No real explanation, and we still had over a year left on the old cards. And they no longer issue gold cards (probably safer that way). Then because of poor planning on our son’s part, we had to throw an unexpected $3k on it for his plane trip home (3 days warning, and I would have made sure we still had room on the card!), and then we couldn’t charge the personal expense part of the trip when we checked out, so that went on the corporate card, which was then a hassle to get the expense report done and paid. We only needed half of what we spent on him. Plenty of room if it hadn’t been for that. Interestingly enough, they re-evaluated the credit risk, and bumped us up over $3500 on our limit. (Yeah, we’re bad, we’ve only got one truly overseas personal use credit card).

    Past interest on the card in the past three years? Zero. I’m impressed that they upped us without us really paying for it. Then again, they may be thinking that we’ll get it so high, we can’t pay the bill in full each month! And then we’ll pay!

  19. new282 says:

    Yes – happened to me on the 28th August, only that it was not until I received my new CITI card a week later did I knew what had happened. All I was told was that my card number was in a series of numbers that might have been stolen from some merchant (they were not forthcoming). The interesting thing was that I had called CITI on the 30th to let them know I would be out of the country the next week (in Australia right now) and I wanted to let them know I would be using the card (as I have learned from Consumerist), and the person I spoke to said nothing to me about my card being canceled and a new one being issued. Strange…

  20. ztoop says:

    What we need is a ‘vote’ for all the companies we have used and definitely didn’t use to figure out the merchant. I haven’t been told to change cards yet, but one common merchant that I know I haven’t gone to in many years rhymes with balmart.

    One thing to note, I suspect citibank is more willing to change cards when there is a breach. I had this happen to me with the TJMax deal, and although I likely used other cards there, I never had those card companies ask me to switch.

  21. new282 says:

    I suppose it is not a bad thing to complain – at least they discovered something and acted accordingly. I would rather have that happen than nothing at all…

  22. yargrnhoj says:

    Same here, got a letter from Citi with new cards saying mine had been ‘compromised’. I’ve never heard of “Forever 21” and never shopped there and in fact hadn’t really used my Citi card in over two years except for recurring transactions at my health club and alarm service.

  23. NoWin says:

    These sites won’t tell you who the “current” culprit is, as the investigation is ongoing, but it’s always nice to know these firms missed a chance to actually take data security “seriously”…



  24. DanglinModifiers says:

    The very first time I used my Citi card, it was declined. I called in from the store and was told it had been used for a $5 purchase at Bed Bath & Beyond which they flagged as suspicious. When I asked how someone got my CC number without my ever having used it, they had nothing to say. I put the blame squarely on Citi.

    • jeebussez says:


      It’s like undeadsac said, someone realized all Citi cards start with the same numbers and are randomly generating the rest. I know a guy who used to do this when I was younger (15 or so) to try to get into adult sites (I had weird friends). Knowing a card’s prefix and how to generate a checksum can generate you quite a bit of legit card numbers. Use the card to make a small purchase at a large retailer, wait to see if it gets declined, and it not just keep using it until it maxes out and move on. It’s the same way ID thieves work, only they work with possible numbers, not ones that actually exist.

      This is another great reason to use a credit card and not a debit card. Or hell, go cash. I love cash.

  25. tracykins82 says:

    I JUST got an early fraudulent detection call yesterday from citibank and am currently awaiting my new card…

  26. reznicek111 says:

    I also received a early fraud warning call from Citibank yesterday; they cancelled my card and are issuing a new one. Unfortunately, there were several hundred dollar’s worth of fraudulent charges rung up on it over the past few days, which I have to deal with. Not pleasant, but I’m glad Citi flagged the fraud as quickly as they did. It’s also scary to read here how many other people seem to have the same problem!

  27. LarsHyperion says:

    I received an online alert regarding my Citibank account. I called up and
    was told that there were a total of 6 charges made on my account. They were
    all online/phone charges. I’m currently disputing with them. They blocked
    my card, leaving me no access to my account till tomorrow. I would advise
    anyone with a Citi account to log-in their online account or give them a
    call. The charges total $298.63.

  28. thrsnospoon says:

    I was looking into applying for a Staples card and was told to hold off until the next week. They’re switching their credit card provider from Citi to something else. That being said, I’m positive the breach was with Citi themselves.

  29. junip says:

    I have a wells fargo card, and my debit card was recently reissued with the same “your number may have been involved in a group that we felt was compromised” reasoning from the CSR. I was a little miffed, because I never ever use my debit card for anything. Who compromised my information? Must be the bank, right?