Cyber Incident Victim: Afaze
Date:
Oct 2015
Location:
United States of America
Summary
A data security incident at A&M (2015) LLC retail brands, including Afaze, involved malware compromising payment card information from in-store transactions. The breach exposed card numbers, expiration dates, and CVV codes; names were additionally compromised at two specific store locations. Social Security numbers and PINs remained unaffected as they were not collected by the company. Following detection via credit processor alerts, forensic investigations confirmed the malware's data exfiltration capabilities, leading to its removal and implementation of enhanced security measures. The incident exclusively impacted physical store transactions, with no compromise of online purchases. Affected customers were notified and advised to monitor financial accounts for unauthorized activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A&M (2015) LLC discovered a data security incident affecting customers who used debit or credit cards at its retail brands, including Afaze, Annie Sez, Mandee, Sirens, and Urban Planet. The company initiated an investigation after its credit card processor reported unusual activity, engaging third-party forensic experts to examine its systems. On August 11, 2016, suspicious files were identified on A&M's computer systems, indicating potential compromise of payment card data. By August 23, 2016, forensic analysis confirmed these files contained malware capable of harvesting customer payment information, prompting immediate removal. The malware operated between November 24, 2015, and August 23, 2016, at all affected U.S. retail locations except online transactions. Two specific stores—Annie Sez in Danbury, Connecticut (October 15, 2015–August 23, 2016) and Mandee in Bergenfield, New Jersey (October 14, 2015–August 23, 2016)—had extended exposure periods. The malware primarily targeted card numbers, expiration dates, and CVV codes. At the Danbury and Bergenfield locations, customer names were also exposed. No Social Security numbers, PINs, or online transaction data were compromised, as A&M did not collect or store those details.
A&M contained the incident by eliminating the malware and implementing enhanced security protocols to prevent further unauthorized access. CEO Eric Grundy publicly acknowledged the breach, emphasizing collaboration with forensic investigators and law enforcement. The company established a dedicated assistance line (1-844-512-9007) and published incident details on Mandee and Annie Sez websites. Affected customers were advised to monitor financial statements, report unauthorized charges to card issuers, and review credit reports via AnnualCreditReport.com. A&M outlined options for fraud alerts or security freezes through Equifax, Experian, and TransUnion, noting potential delays in credit approvals. Forensic investigations confirmed the malware's restriction to point-of-sale systems, with no evidence of data misuse beyond initial theft. Ongoing system monitoring and procedural updates were deployed to strengthen payment security across all retail locations.