Macy’s has announced that it suffered a data breach.
The breach was caused by a Magecart skimming code being inserted into its online payment portal. As a result, hackers were able to steal customer’s personal information.
Even worse, the data stolen didn’t just include names, addresses, and phone numbers. It also included credit card numbers, card verification codes, and expiration dates.
Although Macy’s didn’t disclose how many customers were impacted, in a letter, the retail giant said it discovered the malicious code on October 15. However, the company believes the code was injected on October 7.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two (2) pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page – if credit card data was entered and “place order” button was hit; and (2) the wallet page – accessed through My Account.”
Although Macy’s removed the code on the same day that it was discovered, any payment information submitted to these two pages while they were compromised is at risk.
It’s worth noting that this isn’t the first time Macy’s has suffered a breach — last year, Macy’s disclosed a breach that lasted almost two months, resulting in hackers stealing credit card information and passwords from 0.5% of its customer base.