Hanna Andersson, the Portland, OR-based children’s clothing brand with Swedish roots, was hacked in a magecart attack last fall that exposed customers’ credit card information, including CVV codes, but is just now coming to light.
The Portland Business Journal reported the hack revealed credit card information from transactions between Sept. 16 and Nov. 11, 2019, but that affected customers were only notified in a letter on Jan. 15.
The letter is not posted on the Hanna Andersson website or social media. A copy of the letter originating from an attorney in the Seattle office of international law firm Perkins Coie LLP is posted on the website of the North Dakota Attorney General’s office. It says, in part:
“On Dec. 5, 2019, law enforcement informed Hanna Andersson that credit cards used on its website were available for purchase on a dark web site,” the letter said. “Hanna Andersson immediately launched an investigation. The investigation has confirmed that Hanna Andersson’s third-party ecommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process.”
The letter continues that although the investigation indicates not all customers who bought online at Hanna Andersson during that timeframe were affected, it could not determine exactly who was. As a result, Hanna Andersson decided on Dec. 31 to notify all customers who made online purchases during the period that they may have been impacted.
The issue also surfaced in comments on a Jan. 16 Hanna Andersson Facebook post showcasing girls’ dresses.
“Apparently this company had a major data security breach last year and is just now getting around to telling their customers,” one comment said. “Customers beware!”
Hanna Andersson responded:
“Thank you for reaching out to us with your concerns. We understand learning a data breach occurred can be very upsetting. With any such event, it takes time to gather the relevant information, identify the affected individuals and line up the assistance services that are being offered. Because customers like you are so important to us, we are offering domestic customers full identity theft protection services through ID Experts to customers, which we hope will provide some degree of comfort. We recognize that this incident will test your trust in us, and we are committed to doing everything we can to earn back that trust.”
According to Portland Business Journal, Hanna Andersson has approximately 75 retail locations and employs about 200.