Macy's suffered a data breach, which it was alerted to on October 15, caused by a card-skimming code being added into its online payment portal.
In a letter issued to customers, the company says it believes the code was added on October 7th and that the Macy's team quickly found that the unauthorized code had been injected into the checkout page and wallet page of Macys.com. The team removed the code on October 15th.
While the code was removed on the same day Macy's was alerted to the problem, customers that placed orders online may have had their information stolen. Shoppers checking out through mobile were not involved.
This data at risk includes first and last names, addresses, phone numbers, email addresses, payment card numbers and security codes, and expiration dates.
Macy's was also hit with a data breach back in 2018, which occurred over a two-month period.
“Macy’s has taken the appropriate steps to contain and mitigate this data-stealing campaign, including quick notification of the breach as well as quick action to remove the code,” says Vinay Sridhara, CTO of Balbix. “Still, the malicious code went unsuspected for a week. All that constitutes IT infrastructure is rapidly expanding and Gartner predicts that by 2020, the total number of connected things will reach 20.4 billion. It is critical that Macy’s implement security solutions that scan and monitor all attack vectors across connected applications such as online payment portals as well as all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put customers’ personally identifiable information at risk of exposure, will enable enterprises to mitigate future breaches and avoid litigation, fines under data privacy laws, retain brand image and increase the organizations’ market share.”
"Attacks that rely on user traffic ramp up seasonally and the holidays is where retail is targeted the most,” warns Jarrod Overson, Director of Engineering at Shape Security. "Macy's did not implement their side of the subresource integrity feature (SRI) that web browsers offer. SRI can help browsers identify and prevent changed files from running but it's not clear if that would have completely prevented this attack. Attackers may have also had control of the application server where hashes are delivered. Regardless, it is critical to have a service monitoring and tracking the resources your page serves.”
In any case, the news of Macy’s breach comes at a bad time, as holiday shopping ramps up. Recent research from SiteLock found The majority of shoppers (56%) say it will take them about a month to return to shopping with any online retailer after a breach – i.e. Macy’s may be missing half their customers this Black Friday/Cyber Monday.
Macy’s shares sank 10.9% in Tuesday trading after reports of the data breach, MarketWatch reported.