Cyber Incident Victim: A&M LLC
Date:
Oct 2015
Location:
United States of America
Summary
A cybersecurity incident at A&M LLC involved unauthorized access to payment card data from customers at multiple retail brands, including Annie Sez, Afaze, Mandee, Sirens, and Urban Planet. Malware installed on point-of-sale systems captured card numbers, expiration dates, and CVV codes during in-store transactions; customers at specific locations also had their names exposed. The compromise was detected following alerts from the company's credit card processor, prompting an investigation with third-party forensic experts. The malicious software was removed, and enhanced security measures were implemented to prevent further breaches. No Social Security numbers, PINs, or online transaction data were affected. The company notified impacted individuals and coordinated with law enforcement while advising vigilance in monitoring financial accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A&M LLC detected unusual activity following reports from its credit card processor, initiating an investigation with third-party forensic experts to examine potential system compromises. On August 11, 2016, suspicious files were discovered on A&M’s computer systems, indicating possible theft of customer debit and credit card data from transactions at Annie Sez, Afaze, Mandee, Sirens, and Urban Planet retail locations. The malware was confirmed on August 23, 2016, to have been capable of collecting payment card information, prompting its immediate removal. The exposure period spanned November 24, 2015, to August 23, 2016, for most affected stores, though the Annie Sez location in Danbury, Connecticut, and the Mandee store in Bergenfield, New Jersey, had longer vulnerability windows starting October 14–15, 2015. Online transactions through brand websites, including www.mandee.com, remained unaffected. Forensic analysis determined the malware targeted point-of-sale systems, exfiltrating data during in-person card usage. A&M contained the breach by eradicating the malicious files and enhancing security protocols to prevent further unauthorized access.
Compromised data included card numbers, expiration dates, and CVV codes for transactions at all impacted locations except Danbury’s Annie Sez and Bergenfield’s Mandee, where customer names were also exposed. No Social Security numbers, PINs, or online purchase data were involved, as A&M did not collect or store those details. The company established a dedicated assistance line and published incident details on www.mandee.com and www.anniesez.com, advising customers to monitor financial statements and credit reports for unauthorized activity. CEO Eric Grundy emphasized collaboration with forensic investigators and law enforcement to secure systems, though specific malware origins or attacker identities were undisclosed. Customers were directed to contact card issuers for fraudulent charges and provided contact information for credit bureaus to place fraud alerts or security freezes, with warnings about potential delays in credit approvals. The incident resolution focused on procedural improvements and consumer guidance rather than public disclosure of technical remediation steps.