Over a two-month period, a relatively low-level cyber thief systematically infiltrated Macy’s systems, cracking into hundreds of customer profiles and making off with vital personal information.
Last week Macy’s went public with the news, mailing letters to the small group of affected shoppers, informing them of the compromise and attempting to make amends.
According to the letter: “On June 11, 2018, our security suite alerted us to a spike in anomalous login activities on macys.com and bloomingdales.com. Our investigation showed that, beginning on or about April 26, 2018 through our remediation on June 12, the attacker used valid user credentials (user names and passwords) to login to some online profiles.”
The retailer stated that there is no evidence that its systems containing login credentials were compromised, but rather the cyber-criminal gained access to shoppers’ unique user names and passwords from another company or the dark web. Once logged into shopper accounts Macy’s “believes the attacker accessed certain information stored in customer profiles logged into by the attacker and attempted to access encoded payment data stored on those profiles.”
Once the retailer’s security team was alerted to the problem on June 11, the traffic pattern matching the script was blocked with six hours. Within 24 hours, Macy’s blocked access to the relevant customer profiles, purged all payment card data from the profiles and blocked the profiles until customers changed their passwords.
Macy’s believes the affected customers number less than 800 and are contained to New Hampshire. All affected customers will receive complimentary theft monitoring and identity repair services. Even if shoppers are not among the small number of known victims, Experian has some advice: change passwords, update debit and credit card numbers, monitor account activity, and keep an eye on credit.
According to Bloomberg News, Macy’s was hit with a proposed class-action lawsuit that accuses the retailer of being “lackadaisical” for failing to safeguard customers’ personal information and waiting almost a month before notifying them of the cyberattack.