Macy’s officials have alerted customers that their personal data and payment information may have been exposed via a data breach on the department store’s retail website. The breach allowed an “unauthorized third party” to harvest customers’ personal data and payment card information from macys.com.
According to a letter to customers dated Nov. 14, Macy’s officials discovered a suspicious connection between the company’s website and another website with unauthorized computer code placed on Macys.com by a third party. The code was being used to collect customers’ first names, last names, addresses, phone numbers, email addresses, and payment information including card numbers, security codes and expiration dates.
The code was a type of web skimmer malware that was used by hackers to harvest customer data from checkout pages and the “My Wallet” page. These pages allow customers to complete orders and manage their payment options – when customers entered data and/or placed orders, the code was able to collect the data and transmit it to the unauthorized third party.
Macy’s officials discovered the breach on Oct. 14 and launched an immediate investigation. Federal law enforcement was notified as were the card issuers that may have been affected, including Visa, Mastercard, American Express and Discover. Macy’s officials stated that the code has been removed and they have taken security measures to prevent the issue from reoccurring.
Several outlets have reported the attack is linked to Magecart, a cybercrime syndicate that specializes in credit card theft. Ticketmaster and British Airways have fallen victim to similar attacks in the past.
How to Know If You’re Affected
It’s currently unclear how many Macy’s customers may have been affected. According to Macy’s officials, there is no reason to believe that the breach could lead to incidents of identity theft, which typically require a Social Security number to succeed. However, they recommend reviewing credit card activity and bank statements to check for unauthorized transactions, and to report suspicious activity to card issuers or financial institutions.
If you have recently completed transactions or have a payment card on file with macys.com, you may want to proactively notify your card issuer to let them know your payment information could have been compromised. Your card issuer may take special precautions to protect your account.
You also should take steps to monitor your identity and credit to guard against identity theft.