Cyber Incident Victim: Sirens
Date:
Oct 2015
Location:
United States of America
Summary
A cybersecurity incident at A&M (2015) LLC impacted customers using payment cards at several retail brands, including Sirens, due to malware installed on point-of-sale systems. The malware potentially harvested card numbers, expiration dates, and CVV codes from transactions at affected physical stores; at two specific locations, customer names were also compromised. The malicious files were identified and removed following an investigation initiated after alerts from the company’s payment processor. No online transactions, Social Security numbers, or PINs were involved. The company engaged third-party forensic experts and law enforcement, implemented enhanced security measures, and notified customers while advising vigilance against fraudulent activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
A&M (2015) LLC discovered a data security incident affecting customers who used debit or credit cards at its retail brands, including Sirens, Annie Sez, Afaze, Mandee, and Urban Planet. The company initiated an investigation following reports of unusual activity from its credit card processor, engaging third-party forensic experts to examine its systems. On August 11, 2016, suspicious files were identified on A&M's computer systems, indicating potential compromise of payment card data. By August 23, 2016, forensic analysis confirmed these files contained malware designed to collect customer payment information, prompting immediate removal. The malware operated between November 24, 2015, and August 23, 2016, across all U.S. locations of the affected brands, with extended exposure periods at the Annie Sez store in Danbury, Connecticut (October 15, 2015 – August 23, 2016) and Mandee store in Bergenfield, New Jersey (October 14, 2015 – August 23, 2016). Compromised data included card numbers, expiration dates, and CVV codes for most locations, while the Danbury Annie Sez and Bergenfield Mandee locations additionally exposed customer names. Social Security numbers and PINs were not compromised, as A&M did not collect this information. Online transactions through brand websites remained unaffected.
A&M contained the incident by eradicating the malware and implementing enhanced security protocols to prevent further unauthorized access. The company collaborated with forensic investigators and law enforcement throughout the investigation and remediation process. Notification efforts included establishing a dedicated assistance line (1-844-512-9007) and publishing incident details on Mandee and Annie Sez websites. Customers were advised to monitor account statements and credit reports for suspicious activity, report unauthorized charges to card issuers, and consider fraud alerts or security freezes through credit bureaus. A&M confirmed that payment systems were secure for resumed use at all physical locations following malware removal. The forensic investigation remained ongoing at the time of the November 11, 2016, public disclosure, with no evidence suggesting misuse of exposed data beyond the initial compromise.