Hanna Andersson, LLC and Salesforce.com, Inc. face a proposed class action lawsuit after a Fall 2019 data breach reportedly compromised the personal information of “tens of thousands” of the high-end children’s clothing retailer’s online customers. The lawsuit alleges that due to the defendants’ lax security systems and delayed response to the breach, cybercriminals “got everything they needed” to commit fraud and identity theft using customers’ stolen information.
The case claims Hanna Andersson notified customers in a letter dated January 15, 2020 that a “widespread” data breach had occurred from September 16 to November 11, 2019. During the incident, the suit says, unauthorized parties gained access to the retailer’s online payment platform provided by Salesforce’s Commerce Cloud Unit. The hackers “scraped” customers’ names, billing and shipping addresses, payment card numbers, CVV codes and credit card expiration dates, the lawsuit says.
Although Hanna claimed the malware had been removed from its payment platform by November 11, a different letter, sent to the attorneys general of the states affected by the incident, the suit says, stated that Hanna was first notified of the breach by law enforcement back on December 5. The lawsuit questions Hanna’s timeline in the two letters, noting that the company claimed to have removed the malware three weeks earlier than it was purportedly made aware of the incident.
“Hanna admits it did not detect this breach on its own, nor did Salesforce notify Hanna about it – law enforcement did,” the complaint states. “How was the malware removed on November 11, 2019, without Defendants noticing it?”
The lawsuit decries the defendants’ “negligent and/or careless” conduct, arguing that the two companies’ inadequate security systems and inattentive approach to data security have exposed customers to a heightened risk of identity theft. Moreover, the case claims Hanna and Salesforce should have discovered the breach months earlier and notified consumers as soon as possible rather than wait “over another month” after being made aware of the incident.
In addition to possible violations of the California Unfair Competition Law, the lawsuit alleges abuses of the newly minted California Consumer Privacy Act, which went into effect on January 1, 2020. This lawsuit is believed to be among the first to mention the new statute, which aims to grant California consumers more control over how companies collect and use their personal information.