Macy’s says it’s been hit by a “highly sophisticated and targeted data security incident” that affected “a small number” of its customers.
The data breach, which stole information from customers as they shopped on Macy’s online shopping site, took place between October 7 and 15, 2019. Those affected have been notified and will be updated on developments, Macy’s told Digital Trends by email.
Macy’s said the cybercriminals “potentially accessed” customer information that includes first name, last name, home address, phone number, email address, and payment card number including the card’s security code and expiration date.
It added that the information will likely have been taken in cases where the customer entered the data in the macys.com checkout page or in the My Account wallet page. Customers checking out or interacting with the My Account wallet page on a mobile device or on the macys.com mobile application are in the clear, the company said.
The hackers are thought to have launched the attack by entering malicious code into its website that allowed it to capture customer information.
“Our security teams quickly engaged a leading forensic firm to remove the threat,” the retail giant told Digital Trends. Federal law enforcement is also investigating the incident.
The company is contacting customers with information on how to enroll in consumer protection services, which will be offered to those affected at no cost.
Its shoppers are also being warned to keep an eye on their account statements for any suspicious activity, which, if spotted, should be reported immediately to the card issuer.
Magecart malware
The Macy’s attack has been linked to Magecart, a type of malware injected into online shopping sites in an effort to grab customer data. The software has been used by hackers for nearly a decade, with U.S.-based cybersecurity firm RiskIQ suggesting Magecart has compromised more than 17,000 domains, some of which appear in the top 2,000 websites ranked by Alexa.
Recent Magecart victims have included British Airways, which suffered a major breach affecting around 380,000 customers in 2018 and for which the airline was subsequently fined about $230 million, and online electronics retailer Newegg, which was also hit in 2018. More recently, the Baseball Hall of Fame’s website fell victim to Magecart.
The stolen data may end up being traded on illicit hacking forums, with buyers hoping to use it for online shopping sprees or perhaps to withdraw money from accounts.