Cyber Incident Victim: Urban Planet
Date:
Oct 2015
Location:
United States of America
Summary
A cybersecurity incident at A&M (2015) LLC impacted payment card data of customers at several retail brands, including Urban Planet, through malware installed on point-of-sale systems. The compromise exposed debit and credit card numbers, expiration dates, and CVV codes for transactions at most affected U.S. stores; two specific locations additionally had customer names accessed. The malware was identified and removed after forensic investigation, with no evidence of online transaction compromise or theft of Social Security numbers or PINs. The company implemented enhanced security protocols, collaborated with law enforcement and third-party experts, and notified customers to monitor financial accounts for unauthorized activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A&M (2015) LLC discovered a data security incident affecting customers who used debit or credit cards at several retail brands, including Urban Planet, between November 24, 2015, and August 23, 2016. The company initiated an investigation after its credit card processor reported unusual activity, engaging third-party forensic experts to examine its systems. On August 11, 2016, suspicious files were identified on A&M’s computer systems, suggesting potential compromise of payment card data. Twelve days later, on August 23, 2016, forensic analysis confirmed these files contained malware designed to collect customer payment information, prompting immediate removal. The malware specifically targeted point-of-sale systems at physical stores across U.S. locations of Annie Sez, Afaze, Mandee, Sirens, and Urban Planet, with two additional locations—Annie Sez in Danbury, Connecticut (October 15, 2015–August 23, 2016) and Mandee in Bergenfield, New Jersey (October 14, 2015–August 23, 2016)—having extended exposure periods. Online transactions through brand websites like www.mandee.com remained unaffected throughout the incident.
The forensic investigation determined that compromised data included card numbers, expiration dates, and CVV codes for most impacted locations. Customers at the Danbury Annie Sez and Bergenfield Mandee locations additionally had their names exposed alongside payment details. No Social Security numbers, PINs, or online transaction data were compromised, as A&M did not collect or process this information. Following malware eradication on August 23, 2016, A&M implemented enhanced security protocols to prevent further unauthorized access. The company established a dedicated assistance line (1-844-512-9007) and published incident details on www.mandee.com and www.anniesez.com, advising customers to review financial statements and credit reports for suspicious activity. A&M collaborated with law enforcement and continued forensic reviews to secure systems, while recommending affected individuals contact credit bureaus to place fraud alerts or security freezes, noting potential delays in credit approvals resulting from these protective measures.