Hanna Andersson, U.S.-based kids wear retailer, has agreed to pay $400,000 to settle a data breach lawsuit related to the California Consumer Privacy Act (CCPA). The class-action lawsuit, which is the first monetary settlement under CCPA, was filed in the U.S. District Court for the Northern District of California in February 2020. The lawsuit claimed that Hanna Andersson and its third-party vendor Salesforce violated the CCPA by exposing customers’ personally identifiable information (PII) in a 2019 data breach.
As per the settlement, more than 200,000 U.S. customers, who made purchases from the Hanna Andersson online store from September 16 to November 11, 2019, will receive $500 to $5,000 compensation.
How Hanna Andersson got Hacked
According to a statement from Hanna Andersson, unknown threat actors hacked Hanna’s retail website during the holiday season of December 2019. The attackers stole the credit card details, including customer name, payment card number, CVV code, expiration date — along with billing and shipping addresses of its customers from the checkout and payment page of the online portal. The hackers also sold credit card details of the customers on the dark web.
The cyber forensic team’s investigation confirmed that Hanna Andersson’s third-party eCommerce platform, Salesforce Commerce Cloud, was infected with malware that may have scraped information entered by customers into the platform during the purchase process.
In addition to the settlement, Hanna Andersson also agreed to enhance its security posture to prevent future security incidents by conducting a risk assessment of its data assets; enabling multi-factor authentication; hiring a new director of cybersecurity; conducting phishing and penetration testing; and deploying additional intrusion detection, prevention, and monitoring applications.
“Plaintiffs strongly believe the settlement is fair, reasonable, and adequate and that the court should grant it preliminary approval and notice distributed to class members. The settlement provides quick relief for class members, including compensation for the alleged unauthorized dissemination of their PII,” said the attorneys for the class-action plaintiffs in the settlement agreement.