Hackers successfully targeted retail giant Macy’s with a Magecart attack, stealing the payments data of the company’s customers, the company said in a statement.
Hackers compromised the checkout and wallet pages of Macy’s website. Data stolen includes payment card numbers, payment card security codes, month/year expiration dates, and more. The company did not provide information about the number of customers affected by the data breach.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website,” the statement said. “Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7th, 2019 an unauthorized third part added unauthorized computer code to two (2) pages on macys.com.”
Macy’s also states they immediately contacted law enforcement as soon as they became aware of the breach. In addition, they enlisted the help of hacking experts to ascertain how such a failure was allowed to occur.
“We immediately began an investigation as soon as we suspected a problem. We quickly contacted federal law enforcement and brought in a leading class forensics firm to assist in our investigation,” the statement said. We have reported the relevant payment card numbers to the card brands (i.e.Visa, Mastercard, American Express, and Discover). In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to macys.com.”
Finally, the statement goes on to say that while Macy’s currently believes no harm came to customers whose data was compromised, they should remain vigilant.
There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name,” the statement said. “Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer.”