Hanna Andersson, a children’s clothing company with stores across the country, has told customers that their card payment data may have been compromised in a security breach last year.
For nearly two months from mid-September to mid-November, an “unauthorized third party” had access to card payment information that certain customers entered as they were checking out at Hanna Andersson’s website, Mike Edwards, the company’s CEO, said in a Jan. 15 letter to customers viewed by CyberScoop.
The exposed data included payment card numbers, expiration dates, and CVV codes, along with customers’ names, billing addresses, and shipping addresses. Law enforcement officials recently told executives at Portland, Oregon-based Hanna Andersson that there was evidence of a breach, Edwards said.
It is unclear how many customers were affected by the incident. While it doesn’t appear that every customer who visited the website during the two month period was victimized, Edwards said, the company is notifying anyone potentially affected. It is also offering customers a year of credit monitoring and a $1 million “insurance reimbursement policy.”
A Hanna Andersson spokesperson told CyberScoop the company does not know who was responsible for the breach or how many customers might be affected. Hanna Andersson has hired cybersecurity companies Coalfire and Carbon Black, along with consulting firm Charles River Associates and a team from Salesforce, to investigate the breach, the spokesperson said. The company is working with the Department of Homeland Security and FBI on the investigation.
Hanna Andersson is known for selling pajamas, some of which are themed around popular Disney movies. The breach shows that, regardless of the end product being sold, anywhere on the web that houses financial data is a potential target for criminals.
Financially-motivated hacking is a thriving as criminals have successfully targeted web portals where victims enter payment data. One of the more effective ways of stealing card-payment is through a code-skimming technique, popularized by a collection of roughly a dozen criminal groups, known as Magecart. A recent study found that Magecart-style code had been planted on more than 2 million websites.
Hanna Andersson’s letter to customers did not identify any suspects who may be behind the breach.
UPDATE, 01/22/20, 7:48 a.m., EDT: This story has been updated with a statement from a Hanna Andersson spokesperson.