Portland, Oregon-based children’s clothing maker Hanna Andersson has quietly disclosed a breach to affected customers. Very few details of the breach have been made public.
The letter, obtained by SecurityWeek, has been sent via postal mail and explains that a third party had gained unauthorized access to customer information entered during online purchases between September 16 and November 11, 2019. This was only discovered after the firm was notified by law enforcement that such a breach had likely happened; although the firm gives no indication of the date they were so informed.
This is not the best way to learn of a breach involving financial data — it generally means that law enforcement has detected financial fraud attempts of sufficient quantity for them to be traced back to a particular source. In other words, the breach was successful, card details have been stolen, and they’re already being used by criminals.
According to the breach notification letter, the “incident potentially involved information submitted during the final purchase process on our website, www.hannaandersson.com, including name, shipping address, billing address, payment card number, CVV code, and expiration date.” These details are often known on the dark web as ‘fullz‘; that is, the data contains all the information necessary for a criminal to make fraudulent purchases via the internet.
There is no indication that these details were encrypted — indeed, the implication is that they were not. Under the regulations of PCI DSS (the security standard required by the payment card industry for any organization accepting card payments), the card number should have been encrypted and the CVV number discarded. That the attackers obtained the CVV number suggests that the details were ‘skimmed’ as they were entered — that is, between the user entering the details and the retailer encrypting the card number and discarding the CVV.
This is the attack methodology used in several recent ‘Magecart’ attacks; that is, credit card web skimming. The Hannah Andersson breach has not been confirmed as a Magecart attack, but such attacks generally involve the insertion of malicious skimmer code into the victim company’s payment code. It is known that a growing number of well-established criminal groups are now involved.
Hanna Andersson is providing no details of the attack. At the time of writing it is not known how the malicious code got onto the site, who may be involved, nor how many customers may be affected. It does say, however, “we have retained forensic experts to investigate the incident and are cooperating with law enforcement and the payment card brands in their investigation of and response to the incident.” We will learn more as time progresses.
Any response from the PCI Security Standards Council will be interesting. Although not an official claim, it is often suggested that no firm in full compliance with PCI DSS has ever been breached. “We can definitively state,” says the Verizon 2019 Payment Security Report, “we have never reviewed an environment or investigated a PCI data breach involving an affected entity that was truly PCI DSS compliant.” Coincidentally, this report was published at the very end of the Hanna Andersson breach.
Interestingly, the retailer posted a job opening for a “Director of Cyber Security” around the the “end” of the incident, indicating that the company may not have had a robust internal security team. In the job descrption, this person would be tasked with serving as a “primary point of contact concerning any cyber-attack activity and deal with any such incidents promptly and efficiently minimizing any reoccurrence.”
Despite the lack of detail being provided by the firm, it is nevertheless offering affected customers a comprehensive after-breach care package. This comprises MyIDCare identity theft protection services from ID Experts, including 12 months of credit and CyberScan monitoring, $1 million insurance reimbursement policy, and fully managed id theft recovery services.
SecurityWeek has contacted Hanna Andersson for further details.
Related: Hunting for Magecart With URLscan.io