[BreachExchange] Hanna Andersson Data Breach: Hackers Compromise Website of Children's Clothier

Wed Jan 22 10:10:10 EST 2020

https://www.securityweek.com/hanna-andersson-data-breach-hackers-compromise-website-childrens-clothier

Portland, Oregon-based children's clothing maker Hanna Andersson has
quietly disclosed a breach to affected customers. Very few details of
the breach have been made public.

The letter, obtained by SecurityWeek, has been sent via postal mail
and explains that a third party had gained unauthorized access to
customer information entered during online purchases between September
16 and November 11, 2019. This was only discovered after the firm was
notified by law enforcement that such a breach had likely happened;
although the firm gives no indication of the date they were so
informed.

This is not the best way to learn of a breach involving financial data
-- it generally means that law enforcement has detected financial
fraud attempts of sufficient quantity for them to be traced back to a
particular source. In other words, the breach was successful, card
details have been stolen, and they're already being used by criminals.

According to the breach notification letter, the "incident potentially
involved information submitted during the final purchase process on
our website, www.hannaandersson.com, including name, shipping address,
billing address, payment card number, CVV code, and expiration date."
These details are often known on the dark web as 'fullz'; that is, the
data contains all the information necessary for a criminal to make
fraudulent purchases via the internet.

There is no indication that these details were encrypted -- indeed,
the implication is that they were not. Under the regulations of PCI
DSS (the security standard required by the payment card industry for
any organization accepting card payments), the card number should have
been encrypted and the CVV number discarded. That the attackers
obtained the CVV number suggests that the details were 'skimmed' as
they were entered -- that is, between the user entering the details
and the retailer encrypting the card number and discarding the CVV.

This is the attack methodology used in several recent 'Magecart'
attacks; that is, credit card web skimming. The Hannah Andersson
breach has not been confirmed as a Magecart attack, but such attacks
generally involve the insertion of malicious skimmer code into the
victim company's payment code. It is known that a growing number of
well-established criminal groups are now involved.

Hanna Andersson is providing no details of the attack. At the time of
writing it is not known how the malicious code got onto the site, who
may be involved, nor how many customers may be affected. It does say,
however, "we have retained forensic experts to investigate the
incident and are cooperating with law enforcement and the payment card
brands in their investigation of and response to the incident." We
will learn more as time progresses.

Any response from the PCI Security Standards Council will be
interesting. Although not an official claim, it is often suggested
that no firm in full compliance with PCI DSS has ever been breached.
"We can definitively state," says the Verizon 2019 Payment Security
Report, "we have never reviewed an environment or investigated a PCI
data breach involving an affected entity that was truly PCI DSS
compliant." Coincidentally, this report was published at the very end
of the Hanna Andersson breach.

Interestingly, the retailer posted a job opening for a "Director of
Cyber Security" around the the "end" of the incident, indicating that
the company may not have had a robust internal security team. In the
job descrption, this person would be tasked with serving as a "primary
point of contact concerning any cyber-attack activity and deal with
any such incidents promptly and efficiently minimizing any
reoccurrence."

Despite the lack of detail being provided by the firm, it is
nevertheless offering affected customers a comprehensive after-breach
care package. This comprises MyIDCare identity theft protection
services from ID Experts, including 12 months of credit and CyberScan
monitoring, $1 million insurance reimbursement policy, and fully
managed id theft recovery services.