A proposed class action suit alleges children’s clothing retailer Hanna Andersson, LLC and Salesforce.com, Inc., which sold Hanna the cloud-based ecommerce platform that processes transactions and stores customer data, failed to implement adequate security measures to protect customers’ private information.
Although both defendants flaunt their cyber security measures in their marketing materials, Salesforce’s Commerce Cloud system, the case contends, fell victim to a “Magecart” attack that exposed the personally identifiable information (PII) of consumers who made purchases on Hanna Anderson’s website. The data breach, which may have began as early as September 16, 2019, saw hackers access the defendants’ ecommerce platform and inject malicious scripts, known as “skimmers” or “scrapers,” that stole customers’ payment information.
Law enforcement allegedly informed Hanna Andersson of the breach on December 5, 2019. On January 15, 2020, the company subsequently sent out separate notices regarding the incident to affected customers and state attorneys general. The case claims, however, that Hanna Andersson’s notices gave conflicting information about the breach and revealed “inconsistencies and questionable and problematic decision-making” that put customers in harm’s way. Salesforce, on the other hand, did not provide any notice of the breach, the suit states.
According to the notice given to the attorneys general, the malware was removed on November 11, 2019, contrary to Hanna Andersson’s claim that the retailer was not made aware of the breach until December 5, the lawsuit explains. In addition, the complaint claims there is no indication as to whether Salesforce was aware of the incident prior to November 11; however, the case says it “appears improbable” that the malware could have been removed without the company’s knowledge.
The case claims the defendants were “under a duty to act with reasonable care in the collection and processing of Plaintiff and the Class’s PII,” yet failed to maintain the adequate technological safeguards. Furthermore, the complaint argues the defendants caused additional harm to customers by waiting more than a month to alert affected customers and failing to give any notice at all in the case of Salesforce.