Skip to main content

Macy's hit by customer data breach

Macy's at a mall
(Image credit: Macy's)

The American department store chain Macy's has revealed that it suffered a data breach after hackers gained access to its website and used malicious scripts to steal customer's payment information.

The retailer fell victim to a MageCart attack at the beginning of October when hackers added a malicious script to its 'Checkout' and 'My Wallet' pages. If a customer submitted payment information on these pages while they were compromised, their card details and customer information was sent to a remote site which the attackers control.

In a notice of data breach, Macy's provided more information on when it was alerted to the suspicious activity on its site and the next steps the company took, saying:

"On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two (2) pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page - if credit card data was entered and “place order” button was hit; and (2) the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019."

Macy's data breach

As a result of the data breach on its site, the attackers were able to access customer information and credit card information from user's who submitted payments including their first name, last name, address, city, state, zip code, phone number, email address, payment card number, payment card security code and the expiration date of their cards.

Those behind the data breach had access to Macy's website for a full week before the retailer was alerted to the hack. During that time, they were able to harvest the payment and customer information of everyone who submitted payments on its online store.

Macy's has now begun to send out emails to those who were affected by the hack and the company is advising that they monitor their credit card statements for any suspicious or fraudulent activity.

The retailer is also offering all affected users a free year of Experian IdentityWorks credit monitoring service to protect them against any possible repercussions as a result of the breach.

Via Bleeping Computer