Cyber Incident Victim: Annie Sez

A&M (2015) LLC, operator of retail brands including Annie Sez, Afaze, Mandee, Sirens, and Urban Planet, initiated an investigation following reports of unusual activity from its credit card processor. Third-party forensic experts were engaged to examine potential system compromises. On August 11, 2016, suspicious files were identified on A&M's computer systems, suggesting possible theft of customer debit and credit card data. By August 23, 2016, forensic analysis confirmed these files contained malware designed to harvest payment card information, prompting immediate removal. The malware exposure period spanned November 24, 2015, through August 23, 2016, for most affected locations. Two stores had extended compromise windows: the Annie Sez location in Danbury, Connecticut, from October 15, 2015, and the Mandee store in Bergenfield, New Jersey, from October 14, 2015. Online transactions through brand websites remained unaffected throughout the incident.

The malware potentially captured card numbers, expiration dates, and CVV codes from physical store transactions. Customers at the Danbury Annie Sez and Bergenfield Mandee locations additionally had names exposed alongside payment details. No Social Security numbers or PINs were compromised, as A&M did not collect this data. Following containment, A&M implemented enhanced security protocols to prevent future unauthorized access. The company collaborated with law enforcement and continued forensic investigations to determine full impact scope. A dedicated customer assistance line (1-844-512-9007) and website notifications provided incident details and standard fraud monitoring guidance. CEO Eric Grundy publicly acknowledged the breach, emphasizing ongoing efforts to secure systems while advising customers to review financial statements and credit reports for unauthorized activity.