`
`
`
`
`M. Anderson Berry, SBN 262879
`aberry@justice4you.com
`Leslie Guillon, SBN 222400
`lguillon@justice4you.com
`CLAYEO C. ARNOLD,
`A PROFESSIONAL LAW CORPORATION
`865 Howe Avenue
`Sacramento, CA 95825
`Telephone: (916) 777-7777
`Facsimile: (916) 924-1829
`
`
`John A. Yanchunis (Pro Hac Vice Forthcoming)
`jyanchunis@ForThe People.com
`MORGAN & MORGAN
`COMPLEX LITIGATION GROUP
`201 N. Franklin St., 7th Floor
`Tampa, FL 33602
`Telephone: (813) 223-5505
`Facsimile: (813) 223-5402
`Attorneys for Plaintiffs
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`SAN FRANCISCO DIVISION
`
`
`vs.
`HANNA ANDERSSON, LLC, and
`SALESFORCE.COM, INC.
`Defendants.
`
`BERNADETTE BARNES, an individual and
`California resident, on behalf of herself and all
`others similarly situated,
`Plaintiff,
`
`Case No.:
`
`CLASS ACTION COMPLAINT
`
`1.) Negligence
`
`2.) Declaratory Relief
`
`3.) Violation of the California Unfair
`Competition Law, Business & Professions
`Code § 17200, et seq.
`
`
`DEMAND FOR JURY TRIAL
`
`
`Plaintiff Bernadette Barnes brings this Class Action Complaint against Hanna
`Andersson, LLC (“Hanna”) and Salesforce.com, Inc. (“Salesforce”)(collectively,
`“Defendants”), on behalf of herself and all others similarly situated, and allege, upon personal
`
`CLASS ACTION COMPLAINT
`
`
`
`
`1
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 2 of 25
`
`
`
`knowledge as to her own actions and her counsels’ investigations, and upon information and
`belief as to all other matters, as follows:
`I. INTRODUCTION
`Hanna Andersson specializes in selling high-end children’s apparel through its
`1.
`popular website and specialty retail stores throughout the United States. For online sales, Hanna
`uses a third-party ecommerce platform to take customers’ personal and payment information.
`The ecommerce platform is supplied to Hanna by Salesforce’s Commerce Cloud Unit.
`On January 15, 2020, Hanna Andersson notified customers and state Attorneys
`2.
`General about a widespread data breach that occurred from September 16, 2019 to November
`11, 2019. Hackers not only “scraped” many of Hanna’s customers’ names from the website by
`infecting it with malware, they also stole customers’ billing and shipping addresses, payment
`card numbers, CVV codes, and credit card expiration dates. The criminals got everything they
`needed to illegally use Hanna’s customers’ credit cards to make fraudulent purchases, and to steal
`the customers’ identities.
`Not only did hackers skim this personally identifiable information (“PII”), law
`3.
`enforcement found the stolen names and card information for sale on the dark web. That means
`the breach worked. Hackers accessed and then offered for sale the unencrypted, unredacted stolen
`PII to criminals. Because of Defendants’ breach, customers’ PII is still available on the dark web
`for criminals to access and abuse. Hanna’s customers face a lifetime risk of identity theft.
`This PII was compromised due to Hanna’s and Salesforce’s negligent and/or
`4.
`careless acts and omissions and the failure to protect customers’ data. In addition to their failure
`to prevent the breach, Hanna and Salesforce failed to detect the breach for almost three months.
`Neither Hanna nor Salesforce had any idea the breach was happening. Months
`5.
`after it started, law enforcement found the stolen information on the dark web and warned Hanna
`on December 5, 2019. Hanna then investigated the breach, confirmed that Salesforce Commerce
`Cloud’s ecommerce platform was “infected with malware,” and confirmed that the PII entered
`by customers into the platform during the purchase process was “scraped”; that is, customers’
`PII was stolen from Hanna’s website by unknown individuals, then sold on the dark web.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`2
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 3 of 25
`
`
`
`Hanna did not tell customers or the Attorneys General about this theft until over
`6.
`another month later, on January 15, 2020. To this day, Salesforce has not released a
`vulnerabilities and exposures report, nor has Salesforce made any notifications of the breach.
`The stolen PII has great value to hackers due to the numbers involved: It is likely
`7.
`that tens of thousands of people – residents of every state – were affected by this breach. For
`example, Hanna states that almost 9,000 Washington residents may have been affected. On
`information and belief, over 10,000 California residents were affected.
`Plaintiff brings this action on behalf of all persons whose PII was compromised
`8.
`as a result of Defendants’ failure to: (i) adequately protect its users’ PII, (ii) warn users of its
`inadequate information security practices, and (iii) effectively monitor Hanna’s website and
`ecommerce platform for security vulnerabilities and incidents. Defendants’ conduct amounts to
`negligence and violates several California statutes.
`Plaintiff and similarly situated Hanna customers (“Class members”) have suffered
`9.
`injury as a result of Defendants’ conduct. These injuries may include: (i) lost or diminished value
`of PII; (ii) out-of-pocket expenses associated with the prevention, detection, and recovery from
`identity theft, tax fraud, and/or unauthorized use of their PII; (iii) lost opportunity costs associated
`with attempting to mitigate the actual consequences of the data breach, including but not limited
`to lost time, (iv) deprivation of rights they possess under the California Unfair Competition Law
`(Cal. Bus. & Prof. Code § 17200) and California Consumer Privacy Act (Cal. Civ. Code
`§ 1798.100, et seq.); (v) the continued and certainly an increased risk to their PII, which (a)
`remains available on the dark web for individuals to access and abuse, and (b) remains in
`Defendants’ possession and is subject to further unauthorized disclosures so long as Defendants
`fail to undertake appropriate and adequate measures to protect the PII.
`II. PARTIES
`Plaintiff Bernadette Barnes is a citizen of California residing in Sacramento
`10.
`County. Plaintiff Barnes purchased items from Hanna’s website between September 16, 2019
`and November 11, 2019. She received Hanna’s notice of the data breach, dated January 15, 2020,
`on or about January 20, 2020.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`3
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 4 of 25
`
`
`
`Defendant Hanna Andersson, LLC is a Delaware Foreign Limited Liability
`11.
`Company with its principal place of business located at 1010 Northwest Flanders Street, Portland,
`Oregon. During the class period, Hanna operated in California through its website, and has
`multiple retail locations, including in Palo Alto and Walnut Creek, California.
`Defendant Salesforce.com, Inc. is incorporated in Delaware with its principle
`12.
`place of business located at 1 Market Street, San Francisco, California. According to Hanna,
`during the class period, Salesforce supplied Hanna with cloud-based online ecommerce services
`through its Salesforce Commerce Cloud Unit.1
`III. JURISDICTION AND VENUE
`This Court has subject matter jurisdiction over this action under 28 U.S.C.
`13.
`§ 1332(d) because this is a class action wherein the amount of controversy exceeds the sum or
`value of $5,000,000, exclusive of interest and costs, there are more than 100 members in the
`proposed class, and at least one member of the class is a citizen of a state different from Defendant
`Hanna. Moreover, Plaintiff Barnes is a citizen of California and therefore diverse from Hanna,
`which is headquartered in Oregon with a Delaware LLC.
`This Court has personal jurisdiction over Defendants because Salesforce is
`14.
`headquartered in California and conducts business in the state of California, and because Hanna
`has physical locations throughout California and conducts business in California through its
`website.
`Venue is proper in this Court pursuant to 28 U.S.C. § 1391 because a substantial
`15.
`part of the events or omissions giving rise to these claims occurred in, were directed to, and/or
`emanated from this District. Venue is also proper because Salesforce’s terms of service require
`
`
`1 See, e.g., Hanna Andersson’s Notification of Security Incident to the Washington Attorney
`General, January 15, 2020, available at: https://agportal-
`s3bucket.s3.amazonaws.com/uploadedfiles/Another/Supporting_Law_Enforcement/HannaAnd
`erssonLLC.2020-01-15.pdf (last accessed Jan. 29, 2019); see also, Hanna Andersson’s
`Notification of Security Incident to the California Attorney General, in part, January 15, 2020,
`available at: https://oag.ca.gov/system/files/Hanna_Multi-State%20Master__Rev1.pdf (last
`accessed Jan. 29, 2019).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`4
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 5 of 25
`
`
`
`that claims are resolved in “the courts located in San Francisco, California.”2
`IV. FACTUAL ALLEGATIONS
`
`Background
`Hanna has sold high-end children’s clothing through mail order and retail stores
`16.
`since 1983. The company mostly sells clothing for babies through preteens, but recently added a
`women’s collection and home furnishings. The company has expanded to over 60 retail locations
`across the United States, with an extensive presence online at www.hannaandersson.com. The
`company’s annual sales are estimated to be over $140 million.
`Salesforce is primarily a cloud technology3 service as a software (“SaaS”)
`17.
`company specializing in “customer relationship management” (“CRM”). According to
`Salesforce, CRM “is a technology for managing all your company’s relationships and
`interactions with customers and potential customers.” Due to the increase of cloud technology
`use, Salesforce’s recent third quarter revenue of $4.5 billion was up 33 percent year over year.
`As of 2020, Salesforce has multiple different cloud platforms: service cloud,
`18.
`marketing cloud, health cloud, app cloud, community cloud, analytics cloud, IoT cloud, Chatter
`cloud, Heroku engagement cloud, and the Salesforce Commerce Cloud.
`The Salesforce Commerce Cloud provides a cloud-based unified ecommerce
`19.
`platform, or platform as a service (“PaaS”), with mobile, AI personalization, order management
`capabilities, and related services for business to customer (“B2C”) and business to business
`(“B2B”) companies.
`Practically, businesses use Salesforce Commerce Cloud to provide websites to
`20.
`their customers who purchase items online. Salesforce’s platform takes the key payment and
`personal information from the customer to finalize the transaction: name, billing and shipping
`addresses, payment card type and number, CVV (security) code, credit card expiration date, and
`
`
`2 Terms of Service, Salesforce.com, Inc., available at
`https://www.salesforce.com/company/legal/sfdc-website-terms-of-service/# (last accessed Jan.
`29, 2019).
`3 As the name suggests, “cloud” technology is located remotely (in a “cloud computing
`platform” established by the vendor) and is accessed by the customer via the internet.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`5
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 6 of 25
`
`
`
`sometimes email address and telephone number.
`Retailers and customers demand security to safeguard PII. Salesforce touts the
`21.
`secure nature of its PaaS ecommerce platform on its website:
`• “Security protocols and infrastructure are constantly analyzed and updated to
`address new threats”;
`• “Some of the world’s largest companies moved their applications to the cloud
`with Salesforce after rigorously testing the security and reliability of our
`infrastructure”;
`• “The cloud is used to back up data, deliver software, and provide extra
`processing capacity in a secure, scalable way”;
`• “[C]loud data is probably more secure than information stored on
`conventional hard drives”;
`• “With cloud services, information is encrypted and backed up continuously.
`Vendors monitor systems carefully for security vulnerabilities”; and
`• “With PaaS, the vendor takes care of back-end concerns such as security,
`infrastructure, and data integration so users can focus on building, hosting,
`and testing apps faster and at lower cost.”4
`Hanna also ensures its customers that it’s concerned about PII security:
`
`The security of your personal information is very important to Hanna, and
`we have implemented measures to ensure your information is processed
`confidentially, accurately, and securely. Our website is PCI DSS
`compliant and uses SSL/TLS (Secure Sockets Layer) technology to
`encrypt your order information, such as your name, address, and credit
`card number, during data transmission. We use a third-party payment
`processor, which is also PCI DSS compliant.5
`
`22.
`
`
`4 What Is Cloud Computing?, Salesforce.com, Inc., available at:
`https://www.salesforce.com/products/platform/best-practices/cloud-
`computing/?d=70130000000i88b (last accessed on Jan. 29, 2020).
`5 Privacy Statement, Hanna Andersson, LLC, available at:
`https://www.hannaandersson.com/security-and-privacy.html# (last accessed Jan. 29, 2020).
`When a customer purchases items on Hanna Andersson’s website, as a guest or through an
`account, they are not asked to acknowledge the “Privacy Statement,” and they are not expressly
`asked to agree to “Terms of Use” or “Terms of Service.”
`
`CLASS ACTION COMPLAINT
`
`
`
`
`6
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 7 of 25
`
`
`
`The PCI DSS (Payment Card Industry Data Security Standard) compliance is a
`23.
`requirement for businesses that store, process, or transmit payment card data. The PCI DSS
`defines measures for ensuring data protection and consistent security processes and procedures
`around online financial transactions. Businesses that fail to maintain PCI DSS compliance are
`subject to steep fines and penalties.
`As formulated by the PCI Security Standards Council, the mandates of PCI DSS
`24.
`compliance include, in part: Developing and maintaining a security policy that covers all aspects
`of the business, installing firewalls to protect data, and encrypting cardholder data that is
`transmitted over public networks using anti-virus software and updating it regularly.6
`To purchase items on Hanna’s website, customers can either create an account or
`25.
`check out as a guest. Either choice requires, at a minimum, that the customer enter the following
`PII onto the website:
`• Name;
`• billing address;
`• shipping address;
`telephone number;
`•
`• email address;
`• name on the credit card;
`type of credit card;
`•
`•
`full credit card number;
`• credit card expiration date; and
`• security code, or CVV code (card verification number).
`At no time during the checkout process does Hanna require customers to expressly
`26.
`agree to the “Terms of Use.”
`The Data breach
`On or about January 15, 2020, Hanna sent customers a Notice of Security
`27.
`
`
`6 PCI Security Standards Council, available at: https://www.pcisecuritystandards.org/ (last
`accessed Jan. 30, 2020).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`7
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 8 of 25
`
`
`
`Incident.7 Hanna’s President and CEO, Mike Edwards, informed the recipients of the notice that:
`
`WHAT HAPPENED
`Law enforcement recently notified Hanna Andersson that it had obtained evidence
`indicating that an unauthorized third party had accessed information entered on
`Hanna Andersson’s website during purchases made between September 16 and
`November 11, 2019[….]
`
`WHAT INFORMATION WAS INVOLVED
`The incident potentially involved information submitted during the final purchase
`process on our website, www.hannaandersson.com, including name, shipping
`address, billing address, payment card number, CVV code, and expiration date.8
`On that same day, January 15, 2020, Hanna’s counsel at Perkins Coie in Seattle,
`28.
`Washington, mailed a different Notification of Security Incident to the Attorneys General of the
`states where affected customers reside, including California.9 That notice included as an
`enclosure a sample of the notice that was sent to customers that same day.10
`In the notice sent to the Attorneys General, there was much more information:
`29.
`
`On December 5, 2019, law enforcement informed Hanna Andersson that credit
`cards used on its website were available for purchase on a dark web site.
`Hanna Andersson immediately launched an investigation. The investigation has
`confirmed that Hanna Andersson’s third-party ecommerce platform,
`Salesforce Commerce Cloud, was infected with malware that may have
`scraped information entered by customers into the platform during the
`purchase process. The earliest potential date of compromise identified by forensic
`investigators is September 16, 2019, and the malware was removed on November
`11, 2019.
`…
`Hanna Andersson is cooperating with law enforcement and the payment card
`brands in their investigation of and response to the incident. It has taken steps to
`re-secure the online purchasing platform on its website and to further harden it
`against compromise, including increasing use of multi-factor authentication
`
`
`7 Hanna Andersson’s Notification of Security Incident, January 15, 2020, archived by the
`California Attorney General, available at: https://oag.ca.gov/system/files/Hanna_Multi-
`State%20Master__Rev1.pdf (last accessed Jan. 29, 2019).
`8 Id.
`9 Hanna Andersson’s Notification of Security Incident to the Washington Attorney General,
`January 15, 2020, available at: https://agportal-
`s3bucket.s3.amazonaws.com/uploadedfiles/Another/Supporting_Law_Enforcement/HannaAnd
`erssonLLC.2020-01-15.pdf (last accessed Jan. 29, 2019).
`10 Hanna Andersson’s Notification of Security Incident to the California Attorney General, in
`part, January 15, 2020, available at: https://oag.ca.gov/system/files/Hanna_Multi-
`State%20Master__Rev1.pdf (last accessed Jan. 29, 2019).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`8
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 9 of 25
`
`
`
`and enhanced system monitoring (emphasis added).
`The notice sent to Attorneys General states that law enforcement did not inform
`30.
`Hanna about its customers’ credit cards being offered for sale on the “dark web” until December
`5, 2019. At that time, Hanna “launched an investigation.” The date the infecting malware was
`supposedly removed from Salesforce’s “third-party ecommerce platform,” however, was over
`three weeks before Hanna claims it found out about the breach.
`Hanna admits it did not detect this breach on its own, nor did Salesforce notify
`31.
`Hanna about it – law enforcement did. How was the malware removed on November 11, 2019,
`without Defendants noticing it?
`Hanna’s customers’ information was sold or is still for sale to criminals. This
`32.
`means that the breach was successful; unauthorized individuals accessed Hanna’s customers’
`unencrypted, unredacted information, “including name, shipping address, billing address,
`payment card number, CVV code, and expiration date,” and possibly more, without alerting
`Defendants, then offered the “scraped” information for sale online where the FBI or similar
`agency ran across it on or about December 5, 2020.
`Around the same time the malware was supposedly removed from Salesforce’s
`33.
`ecommerce platform, Hanna posted a job opening on LinkedIn for a “Director of Cyber
`Security,” indicating that the company may not have had an adequate internal security lead that
`could monitor the website’s systems or implement safeguards.11 In the job description, Hanna’s
`Director of Cyber Security would be “responsible for safeguarding all systems end points and
`network infrastructure from all forms of intrusion,” and serving as a “primary point of contact
`concerning any cyber-attack activity and deal with any such incidents promptly and efficiently
`minimizing any reoccurrence.”
`During the time Hanna admits malware infected its Salesforce ecommerce
`34.
`platform and hackers were “scraping” customers’ PII, and almost six weeks before Hanna
`“launched an investigation,” the Portland, Oregon FBI office (located in the same city as
`
`
`11 Hanna Andersson LinkedIn post for Director of Cyber Security, November 2019, available
`at: https://www.linkedin.com/jobs/view/director-of-cyber-security-at-hanna-andersson-
`1518266875/ (last accessed January 28, 2020).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`9
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 10 of 25
`
`
`
`36.
`
`Defendant) issued a warning to companies about this exact type of fraud.
`In the FBI’s Oregon FBI Tech Tuesday: Building a Digital Defense Against E-
`35.
`Skimming, dated October 22, 2019, the agency stated:
`
`
`This warning is specifically targeted to . . . businesses . . . that take credit card
`payments online. E-skimming occurs when cyber criminals inject malicious code
`onto a website. The bad actor may have gained access via a phishing attack
`targeting your employees—or through a vulnerable third-party vendor attached to
`your company’s server.12
`The FBI gave some stern advice to companies like Hanna:
`Here’s what businesses and agencies can do to protect themselves:
`• Update and patch all systems with the latest security software. Anti-
`virus and anti-malware need to be up-to-date and firewalls strong.
`• Change default login credentials on all systems.
`• Educate employees about safe cyber practices. Most importantly, do
`not click on links or unexpected attachments in messages.
`• Segregate and segment network systems to limit how easily cyber
`criminals can move from one to another.
`But neither Salesforce nor Hanna apparently took this advice as hackers were
`37.
`actively scraping customers’ PII off their website – until November 11, 2019 at the earliest.
`38. Web scraping or skimming data breaches are commonly made possible through a
`vulnerability in a website or its backend content management system. Defendants did not use
`reasonable security procedures and practices appropriate to the nature of the sensitive
`information they were collecting, causing customers’ PII to be exposed for sale on the dark web.
`Scraping and E-Skimming Breaches
`39. Magecart is a loose affiliation of hacker groups responsible for skimming
`payment card attacks on various companies, including British Airways and Ticketmaster back in
`2018.13 Typically, these hackers insert virtual credit card skimmers or scrapers (also known as
`formjacking) into a web application (usually the shopping cart), and proceed to scrape credit card
`
`
`12 Exhibit 2 (Oregon FBI Tech Tuesday_ Building a Digital Defense Against E-Skimming —
`FBI.pdf).
`13 Magecart Hits 80 Major eCommerce Sites in Card-Skimming Bonanza, Threatpost, Aug. 28,
`2019, available at: https://threatpost.com/magecart-ecommerce-card-skimming-
`bonanza/147765/ (last accessed Jan. 30, 2020).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`10
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 11 of 25
`
`
`
`information to sell on the dark web.14
`The hackers target what they refer to as the fullz; a term used by criminals to refer
`40.
`to stealing the full primary account number, card holder contact information, credit card number,
`CVC code and expiration date. The fullz is exactly what Hanna admits the malware infecting
`Salesforce’s platform scraped.
`These cyber-attacks exploit weaknesses in the code of the ecommerce platform,
`41.
`without necessarily comprising the victim website’s network or server.15 These attacks have
`targeted third-party payment processors, like Salesforce, but the attack on British Airways in 2018
`was far more tailored to the company’s particular infrastructure.16
`42. Magecart and these scraping breaches are not new: RiskIQ’s earliest Magecart
`observation occurred on August 8th, 2010.17 Thus, the Portland FBI’s October 2019 warning was
`not the first time Defendants’ would have been made aware of this type of breach – it’s been
`going on for almost a decade and the well-publicized and widespread attacks on British Airways
`and Ticketmaster, among many others in and before 2018, should have alerted Defendants to the
`imminent danger facing Defendants’ customers.
`Unfortunately, despite all of the publicly available knowledge of the continued
`43.
`compromises of PII in this manner, Defendants’ approach to maintaining the privacy and security
`of Plaintiffs’ and Class members’ PII was negligent, or at the very least, Defendants’ did not
`maintain reasonable security procedures and practices appropriate to the nature of the information
`to protect their customers’ valuable PII.18
`
`
`14 Id.
`15 What is Magecart and was it behind the Ticketmaster and BA hacks?, Computerworld, Sep.
`18, 2018, available at: https://www.computerworld.com/article/3427858/what-is-magecart-
`and-was-it-behind-the-ticketmaster-and-ba-hacks-.html (last accessed Jan. 30, 2020).
`16 Id.
`17 Magecart: New Research Shows the State of a Growing Threat, RiskIQ, Oct. 4, 2019,
`available at: https://www.riskiq.com/blog/external-threat-management/magecart-growing-
`threat/ (last accessed Jan. 30, 2020).
`18 While skimming attacks have become more popular, the practice of hackers using legitimate
`online services to host their infrastructure has expanded. Researchers at Malwarebytes recently
`discovered a rash of skimmers on the Heroku engagement platform, which is a PaaS run by
`Salesforce. This platform offers a free starter service for legitimate app developers to deploy,
`manage and scale their apps without needing to maintain their own infrastructure. Hackers are
`
`CLASS ACTION COMPLAINT
`
`
`
`
`11
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 12 of 25
`
`
`
`Value of Personally Identifiable Information
`The PII of consumers remains of high value to criminals, as evidenced by the
`44.
`prices they will pay through the dark web. Numerous sources cite dark web pricing for stolen
`identity credentials. For example, personal information can be sold at a price ranging from $40
`to $200, and bank details have a price range of $50 to $200.19 Experian reports that a stolen credit
`or debit card number can sell for $5-110 on the dark web; the fullz sold for $30 in 2017.20
`Criminals can also purchase access to entire company data breaches from $900 to $4,500.21
`At all relevant times, Defendants knew, or reasonably should have known, of the
`45.
`importance of safeguarding PII and of the foreseeable consequences that would occur if its data
`security system was breached, including, specifically, the significant costs that would be imposed
`on its customers as a result of a breach.
`Defendants were, or should have been, fully aware of the significant volume of
`46.
`daily credit and debit card transactions on its website – the malware infected Salesforce’s
`platform during the lead up to Christmas 2019 – amounting to tens of thousands of payment card
`transactions, and thus, the significant number of individuals who would be harmed by a breach
`of Defendants’ systems.
`Plaintiff’s Experience
`Plaintiff Bernadette Barnes accessed www.hannaandersson.com from her home
`47.
`in Sacramento, California, on October 24, 2019, and purchased five items for a total of $119.59.
`
`
`registering free accounts on Heroku to host their skimming schemes. Malwarebytes reported its
`findings to the Salesforce Abuse Operations team in late 2019. There’s an app for that: web
`skimmers found on PaaS Heroku, Malwarebytes Labs, Dec. 4, 2019, available at:
`https://blog.malwarebytes.com/web-threats/2019/12/theres-an-app-for-that-web-skimmers-
`found-on-paas-heroku/ (last accessed Jan. 31, 2020).
`19 Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends,
`Oct. 16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-
`the-dark-web-how-much-it-costs/ (last accessed Jan. 30, 2020).
`20 Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec.
`6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
`personal-information-is-selling-for-on-the-dark-web/ (last accessed Jan. 30, 2020).
`21 In the Dark, VPNOverview, 2019, available at:
`https://vpnoverview.com/privacy/anonymous-browsing/in-the-dark/ (last accessed Jan. 30,
`2020).
`
`CLASS ACTION COMPLAINT
`
`
`
`
`12
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 13 of 25
`
`
`
`48. Ms. Barnes made these purchases through her Hanna account. On the payment
`platform, Ms. Barnes entered her PII: name, billing and shipping addresses, payment card type
`and full number, CVV code, credit card expiration date, and email address. During this
`transaction, Ms. Barnes was never asked to “agree” to “Terms of Use.”
`At 8:37 pm on the same day, Hanna emailed confirmation of the purchases to Ms.
`49.
`Barnes, and the items were delivered 7-10 days later.
`50. Ms. Barnes received the January 15, 2020 Notice of Security Incident from
`Hanna’s President and CEO, Mike Edwards, on or about January 20, 2020. She did not receive
`the Notice of Security Incident sent by Hanna to Attorneys General.
`As a result of the notice, Ms. Barnes spent time dealing with the consequences of
`51.
`the data breach, which includes time spent reviewing the account compromised by the breach,
`contacting her credit card company, exploring credit monitoring options, and self-monitoring her
`accounts.
`Knowing that the hacker stole her PII, and that her PII may be available for sale
`52.
`on the dark web, has caused Ms. Barnes anxiety. Ms. Barnes is now greatly concerned about
`credit card theft and identity theft in general. This breach has given Ms. Barnes hesitation about
`shopping with Hanna, and shopping on other online websites.
`Now, due to Defendants’ misconduct and the resulting data breach, hackers
`53.
`obtained her PII at no compensation to Plaintiff whatsoever. That is money lost for Plaintiff, and
`money gained for the hackers, who could sell the PII for at least $15 on the dark web.
`V. CLASS ALLEGATIONS
`Plaintiff re-alleges and incorporates by reference herein all of the allegations
`54.
`contained in paragraphs 1 through 53.
`Plaintiff brings this nationwide class action pursuant to Rule 23(b)(2), 23(b)(3),
`55.
`and 23(c)(4) of the Federal Rules of Civil Procedure, individually and on behalf of all members
`of the following class: All individuals whose PII was compromised in the data breach
`announced by Hanna Andersson on January 15, 2020 (the “Nationwide Class”).
`The California Class is initially defined as follows: All persons residing in
`56.
`
`CLASS ACTION COMPLAINT
`
`
`
`
`13
`
`1
`2
`3
`4
`5
`6
`7
`8
`9
`10
`11
`12
`13
`14
`15
`16
`17
`18
`19
`20
`21
`22
`23
`24
`25
`26
`27
`28
`
`
`
`
`
`
`Case 4:20-cv-00812-DMR Document 2 Filed 02/03/20 Page 14 of 25
`
`
`
`California whose PII was compromised in the data breach announced by Hanna Andersson
`on January 15, 2020 (the “California Class”).
`Excluded from the Class are the following individuals and/or entities: Defendants
`57.
`and its parents, subsidiaries, affiliates, officers and directors, current or former employees, and
`any entity in which Defendants have a controlling interest; all individuals who make a timely
`election to be excluded from this proceeding using the correct protocol for opting