The US department store stated that it was alerted of a data breach on October 15, 2019 regarding a suspicious connection between macys.com and another website.
Following an investigation, it is believed that an unauthorised third party added malicious script to two pages on macys.com on October 7, 2019. The script was added to the “Checkout” and “My Wallet” pages.
The malicious script was removed on the same day it was identified, however customers that placed online orders or submitted their financial details prior to the code being removed – may have had their information stolen.
Threat actors may have potentially accessed personal information and financial credentials including first name; last name; address; city; state; zip; email address; phone number; payment card number; payment card security code; payment card month/year of expiration – if these were submitted into the compromised page.
Macy’s have notified law enforcement and hired a leading class forensics firm to assist with their investigation. In addition, all relevant card brands (i.e Visa, Mastercard, Discover and American Express) have also been alerted.
In the notice, Macy’s wrote: “There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name. Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly viewing your account statements and immediately reporting any suspicious activity to your card issuer.”
Macy’s told BleepingComputer that only a small amount of customers were impacted, and that additional security measures have been implemented to prevent this from occurring again.
Macy’s has also arranged to have Experian IdentityWorks to provide its customers with identity protection services for 12 months at no additional cost.