Hanna Andersson Data Breach: Hackers Compromise Website of Children’s Clothier


Portland, Oregon-based children’s clothing maker Hanna Andersson has quietly disclosed a breach to affected customers. Very few details of the breach have been made public.

The letter, obtained by SecurityWeek, has been sent via postal mail and explains that a third party had gained unauthorized access to customer information entered during online purchases between September 16 and November 11, 2019. This was only discovered after the firm was notified by law enforcement that such a breach had likely happened; although the firm gives no indication of the date they were so informed.

This is not the best way to learn of a breach involving financial data — it generally means that law enforcement has detected financial fraud attempts of sufficient quantity for them to be traced back to a particular source. In other words, the breach was successful, card details have been stolen, and they’re already being used by criminals.

Hanna Andersson data breachAccording to the breach notification letter, the “incident potentially involved information submitted during the final purchase process on our website, www.hannaandersson.com, including name, shipping address, billing address, payment card number, CVV code, and expiration date.” These details are often known on the dark web as ‘fullz‘; that is, the data contains all the information necessary for a criminal to make fraudulent purchases via the internet.

There is no indication that these details were encrypted — indeed, the implication is that they were not. Under the regulations of PCI DSS (the security standard required by the payment card industry for any organization accepting card payments), the card number should have been encrypted and the CVV number discarded. That the attackers obtained the CVV number suggests that the details were ‘skimmed’ as they were entered — that is, between the user entering the details and the retailer encrypting the card number and discarding the CVV.

This is the attack methodology used in several recent ‘Magecart’ attacks; that is, credit card web skimming. The Hannah Andersson breach has not been confirmed as a Magecart attack, but such attacks generally involve the insertion of malicious skimmer code into the victim company’s payment code. It is known that a growing number of well-established criminal groups are now involved.

Hanna Andersson is providing no details of the attack. At the time of writing it is not known how the malicious code got onto the site, who may be involved, nor how many customers may be affected. It does say, however, “we have retained forensic experts to investigate the incident and are cooperating with law enforcement and the payment card brands in their investigation of and response to the incident.” We will learn more as time progresses.

Any response from the PCI Security Standards Council will be interesting. Although not an official claim, it is often suggested that no firm in full compliance with PCI DSS has ever been breached. “We can definitively state,” says the Verizon 2019 Payment Security Report, “we have never reviewed an environment or investigated a PCI data breach involving an affected entity that was truly PCI DSS compliant.” Coincidentally, this report was published at the very end of the Hanna Andersson breach.

Interestingly, the retailer posted a job opening for a “Director of Cyber Security” around the the “end” of the incident, indicating that the company may not have had a robust internal security team. In the job descrption, this person would be tasked with serving as a “primary point of contact concerning any cyber-attack activity and deal with any such incidents promptly and efficiently minimizing any reoccurrence.”

Despite the lack of detail being provided by the firm, it is nevertheless offering affected customers a comprehensive after-breach care package. This comprises MyIDCare identity theft protection services from ID Experts, including 12 months of credit and CyberScan monitoring, $1 million insurance reimbursement policy, and fully managed id theft recovery services.

SecurityWeek has contacted Hanna Andersson for further details.

Related: Hunting for Magecart With URLscan.io 

Related: Payment Card Skimmer Found on Macy’s Website 

Related: Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks 

Related: Magecart Skimmer Poses as Payment Service Provider 

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Tags:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *