Cyber Incident Victim: Hanna Andersson
Date:
Sep 2019
Location:
United States of America
Summary
Hanna Andersson experienced a Magecart attack where malicious code was injected into its Salesforce Commerce Cloud platform, compromising customer payment data during online purchases. The skimming operation harvested names, addresses, payment card numbers, CVV codes, and expiration dates over nearly two months before detection. Law enforcement alerted the retailer after stolen credit cards appeared on a dark web marketplace, prompting an investigation that confirmed the breach but could not identify all affected individuals. The company secured its systems, collaborated with authorities and payment card networks, and offered identity theft protection services to potentially impacted customers. This incident mirrored prior compromises targeting the same e-commerce platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Hanna Andersson, a US-based children's apparel retailer, experienced a cybersecurity breach affecting its online purchasing platform between September 16 and November 11, 2019. Attackers deployed malicious JavaScript skimmers—commonly associated with Magecart threat groups—within the company's third-party Salesforce Commerce Cloud (formerly Demandware) e-commerce system. This malware targeted customers during checkout, capturing payment card details including card numbers, CVV codes, expiration dates, names, and billing/shipping addresses. The intrusion remained undetected until December 5, 2019, when law enforcement alerted Hanna Andersson that stolen credit cards from their site appeared for sale on dark web marketplaces. Forensic analysis confirmed the two-month compromise window but could not definitively identify all affected customers due to the skimmer's data collection methodology. Approximately 2,800 websites utilized the Salesforce Commerce Cloud platform at the time, though the article does not specify whether other clients were impacted in this specific campaign.
Hanna Andersson initiated containment by removing the malware from their platform on November 11, 2019, prior to the law enforcement notification. Following confirmation of the breach, the company implemented additional security hardening measures for its online purchasing system and collaborated with payment card networks and investigative agencies. As a precautionary measure, Hanna Andersson notified all customers who made purchases during the compromise period about potential data exposure. The retailer offered affected individuals 12 months of credit monitoring, cyber threat surveillance via MyIDCare, identity theft recovery services, and a $1 million insurance reimbursement policy through ID Experts. Forensic evidence suggested similarities to prior Magecart attacks against Salesforce Commerce Cloud clients, including UK retailer Sweaty Betty in November 2019, though the specific vulnerability exploited in Hanna Andersson's case remained unconfirmed. The incident highlighted Magecart's continued targeting of e-commerce platforms, with Salesforce's Heroku cloud service also documented as a skimmer host in separate December 2019 attacks.