Skip to main content

Macy’s confirms hackers stole customer data from its website

Macy’s says it’s been hit by a “highly sophisticated and targeted data security incident” that affected “a small number” of its customers.

The data breach, which stole information from customers as they shopped on Macy’s online shopping site, took place between October 7 and 15, 2019. Those affected have been notified and will be updated on developments, Macy’s told Digital Trends by email.

Macy’s said the cybercriminals “potentially accessed” customer information that includes first name, last name, home address, phone number, email address, and payment card number including the card’s security code and expiration date.

It added that the information will likely have been taken in cases where the customer entered the data in the checkout page or in the My Account wallet page. Customers checking out or interacting with the My Account wallet page on a mobile device or on the mobile application are in the clear, the company said.

The hackers are thought to have launched the attack by entering malicious code into its website that allowed it to capture customer information.

“Our security teams quickly engaged a leading forensic firm to remove the threat,” the retail giant told Digital Trends. Federal law enforcement is also investigating the incident.

The company is contacting customers with information on how to enroll in consumer protection services, which will be offered to those affected at no cost.

Its shoppers are also being warned to keep an eye on their account statements for any suspicious activity, which, if spotted, should be reported immediately to the card issuer.

Magecart malware

The Macy’s attack has been linked to Magecart, a type of malware injected into online shopping sites in an effort to grab customer data. The software has been used by hackers for nearly a decade, with U.S.-based cybersecurity firm RiskIQ suggesting Magecart has compromised more than 17,000 domains, some of which appear in the top 2,000 websites ranked by Alexa.

Recent Magecart victims have included British Airways, which suffered a major breach affecting around 380,000 customers in 2018 and for which the airline was subsequently fined about $230 million, and online electronics retailer Newegg, which was also hit in 2018. More recently, the Baseball Hall of Fame’s website fell victim to Magecart.

The stolen data may end up being traded on illicit hacking forums, with buyers hoping to use it for online shopping sprees or perhaps to withdraw money from accounts.

Editors' Recommendations

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
Hackers targeted AMD to steal huge 450GB of top-secret data
A depiction of a hacker breaking into a system via the use of code.

A data extortion group known as RansomHouse has asserted that it has stolen upwards of 450GB of sensitive data from AMD.

Team Red has since confirmed that it launched an investigation into the matter after the situation came to light.

Read more
This hacker site sold 24 million people’s data — until now
A social security card in shrink-wrap paper.

An underground illegal online marketplace that contained and sold sensitive information pertaining to individuals based out of the U.S. has been shut down.

SSNDOB, which saw people's names, Social Security numbers, and dates of birth being collected and sold, has been successfully taken offline due to a joint operation from U.S. authorities and their counterparts in Cyprus.

Read more
Cash App breach impacts millions of U.S. customers
Cash App for mobile payments.

Block, formerly Square, has revealed a security breach impacting up to 8.2 million current and former users of Cash App, its mobile payment and investment service.

The San Francisco-based company said in a recent filing with the U.S. Securities and Exchange Commission that the breach was an inside job allegedly carried out by a former employee.

Read more