Plaintiff Bernadette Barnes filed a class action complaint against Salesforce and Hanna Andersson for negligence and violation of California’s unfair competition law. Hanna Andersson is a children’s clothing store and online retailer that uses Salesforce for e-commerce. Barnes also alleged violations of the California Consumer Privacy Act but did not request fines under that statute. The new law went into effect on January 1.
Hanna Andersson notified customers about a data breach that occurred from September 16, 2019 to November 11, 2019. “Hackers not only ‘scraped’ many of Hanna’s customers’ names from the website by infecting it with malware, they also stole customers’ billing and shipping addresses, payment card numbers, CVV codes, and credit card expiration dates. The criminals got everything they needed to illegally use Hanna’s customers’ credit cards to make fraudulent purchases, and to steal the customers’ identities.” Customer identities were found for sale on the “dark web.” The complaint alleged that this incident resulted from Hanna Andersson’s and Salesforce’s negligence. The suit came after Hanna Andersson notified customers of the breach in January.
Law enforcement contacted the defendant companies months after the data breach, the complaint alleged. Hanna Andersson’s investigation revealed that Salesforce Commerce Cloud’s e-commerce platform was infected with malware that scraped customer information. Hanna Andersson informed customers a month after it knew about the breach, according to the complaint. Salesforce has yet to make an announcement concerning the breach.
Hanna Andersson and Salesforce are accused of inadequately protecting user information, failing to warn users of its insufficient security measures and failing to monitor the site’s e-commerce platform for weaknesses and security threats.
Hanna Andersson also notified state Attorney Generals of the data breach but included more information in the notification than was given to customers. Plaintiff Barnes spent time dealing with the repercussions of having her information compromised, including contacting her credit card company, reviewing her account, looking into credit monitoring solutions.
Barnes seeks an order for injunctive relief, including credit monitoring services for the Class, and awards for compensatory, statutory and punitive damages.