Salesforce and Hanna Andersson Face Second Suit Over Data Breach

Salesforce and Hanna Andersson have been sued a second time for the company’s data breach. Hanna Andersson is a children’s clothing store and online retailer, who notified customers in January 2020 about a data breach that occurred from September 16, 2019 to November 11, 2019, where hackers were able to scrape various customer data. The new class action complaint filed by Krista Gill and Doug Sumerfield has accused Salesforce and Hana Andersson of “failure to exercise reasonable care in securing and safeguarding their customers’ sensitive personal information (SPI), including customer names, payment card numbers, payment card expiration dates, and payment card security codes.” The first suit accused the defendants of negligence and violation of California’s unfair competition law.

The complaint stated that the attack was one of many on an e-commerce platform and the second recent one to happen on Salesforce’s Commerce Cloud Unit. Plaintiffs allege that Defendants could have prevented this type of data breach as similar attacks on e-commerce platforms are popular; they have failed to adopt more secure technology and neglected to safeguard customer data. The hackers installed malware that was undetected for close to two months, which allowed them to access personal user information.

Damages to the plaintiffs include, for example: “unauthorized charges on debit and credit card accounts,” “theft of personal and financial information,” “costs associated with the detection and prevention of identity theft and unauthorized use of financial accounts.” They alleged that these are directly related to the data breach and both companies’ negligence.

In September, the plaintiffs purchased from Hanna Andersson and in December they were “alerted by their bank to fraudulent activity on their credit card account, and their account was suspended until new cards could be issued to them, approximately five days later.” During the waiting time, they were unable to use the affected card. As part of a previous class action settlement, plaintiff Gill received data monitory services from MyIDCare, which is the same monitoring service Hanna Andersson offered after the breach; however, “MyIDCare’s monitoring was inadequate to prevent the Hanna Andersson Data Breach from causing damage to Plaintiffs, and is inadequate to address the [complaint’s] Data Breach.” Further, Hanna Andersson was allegedly informed of the data breach by law enforcement, stating that “credit cards used on its website were available for purchase on a dark web site.” The plaintiffs state that Hanna Andersson and Salesforce should have taken measures to prevent this hack and should have known that SPI was vulnerable. Gill and Sumerfield have already had at least one account of fraudulent use of their card. Hanna Andersson’s delayed notification to customers about the fraud lost them valuable time to help mitigate the issue, according to the complaint.

The plaintiffs accuse Hanna Andersson and Salesforce of negligence and have sought a declaratory judgment. They have also sought an award of pre- and post-judgment, an award for costs and attorney’s fees and an award for damages and further relief determined by the court.

The suit is filed in the California Northern District Court. Plaintiffs are represented by Wolf Haldenstein Adler Freeman & Herz.