Security Experts:

Connect with us

Hi, what are you looking for?



Hanna Andersson Data Breach: Hackers Compromise Website of Children’s Clothier

Portland, Oregon-based children’s clothing maker Hanna Andersson has quietly disclosed a breach to affected customers. Very few details of the breach have been made public.

Portland, Oregon-based children’s clothing maker Hanna Andersson has quietly disclosed a breach to affected customers. Very few details of the breach have been made public.

The letter, obtained by SecurityWeek, has been sent via postal mail and explains that a third party had gained unauthorized access to customer information entered during online purchases between September 16 and November 11, 2019. This was only discovered after the firm was notified by law enforcement that such a breach had likely happened; although the firm gives no indication of the date they were so informed.

This is not the best way to learn of a breach involving financial data — it generally means that law enforcement has detected financial fraud attempts of sufficient quantity for them to be traced back to a particular source. In other words, the breach was successful, card details have been stolen, and they’re already being used by criminals.

Hanna Andersson data breachAccording to the breach notification letter, the “incident potentially involved information submitted during the final purchase process on our website,, including name, shipping address, billing address, payment card number, CVV code, and expiration date.” These details are often known on the dark web as ‘fullz‘; that is, the data contains all the information necessary for a criminal to make fraudulent purchases via the internet.

There is no indication that these details were encrypted — indeed, the implication is that they were not. Under the regulations of PCI DSS (the security standard required by the payment card industry for any organization accepting card payments), the card number should have been encrypted and the CVV number discarded. That the attackers obtained the CVV number suggests that the details were ‘skimmed’ as they were entered — that is, between the user entering the details and the retailer encrypting the card number and discarding the CVV.

This is the attack methodology used in several recent ‘Magecart’ attacks; that is, credit card web skimming. The Hannah Andersson breach has not been confirmed as a Magecart attack, but such attacks generally involve the insertion of malicious skimmer code into the victim company’s payment code. It is known that a growing number of well-established criminal groups are now involved.

Hanna Andersson is providing no details of the attack. At the time of writing it is not known how the malicious code got onto the site, who may be involved, nor how many customers may be affected. It does say, however, “we have retained forensic experts to investigate the incident and are cooperating with law enforcement and the payment card brands in their investigation of and response to the incident.” We will learn more as time progresses.

Any response from the PCI Security Standards Council will be interesting. Although not an official claim, it is often suggested that no firm in full compliance with PCI DSS has ever been breached. “We can definitively state,” says the Verizon 2019 Payment Security Report, “we have never reviewed an environment or investigated a PCI data breach involving an affected entity that was truly PCI DSS compliant.” Coincidentally, this report was published at the very end of the Hanna Andersson breach.

Interestingly, the retailer posted a job opening for a “Director of Cyber Security” around the the “end” of the incident, indicating that the company may not have had a robust internal security team. In the job descrption, this person would be tasked with serving as a “primary point of contact concerning any cyber-attack activity and deal with any such incidents promptly and efficiently minimizing any reoccurrence.”

Despite the lack of detail being provided by the firm, it is nevertheless offering affected customers a comprehensive after-breach care package. This comprises MyIDCare identity theft protection services from ID Experts, including 12 months of credit and CyberScan monitoring, $1 million insurance reimbursement policy, and fully managed id theft recovery services.

SecurityWeek has contacted Hanna Andersson for further details.

Related: Hunting for Magecart With 

Related: Payment Card Skimmer Found on Macy’s Website 

Related: Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks 

Related: Magecart Skimmer Poses as Payment Service Provider 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...