Macy’s is notifying some of its online customers that their card details have been skimmed as part of another Magecart data breach.
According to the breach notice, the firm only found out about the incident around a week after it happened, in early October.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com,” it said.
“The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: (1) the checkout page — if credit card data was entered and “place order” button was hit; and (2) the wallet page — accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”
Affected customers are likely to have had their full card details and more swiped by the hackers: first name; last name; address; city; state; zip; phone number; email address; payment card number; payment card security code; payment card month/year of expiration.
This has given potential fraudsters, who get hold of the details, enough information to make fraudulent purchases in the victims’ names and even to craft other identity fraud scams.
In the meantime, Macy’s said it has reported the incident to affected card brands (Visa, Matercard etc) and taken steps to prevent Magecart code being added to its pages again. It has also offered affected customers free Experian IdentityWorks identity protection services for 12 months.
Macy’s is just the latest in a long line of big-name brands to have had their sites compromised by Magecart code. Most famously, British Airways was fined £183 million by the UK regulator under the new GDPR for failings which led to its breach.