Macy’s Latest Victim of Cyber Attack

What’s Going On? Macy’s online store has recently been compromised in a data breach giving out consumers’ personal information. An investigation on October 15 found that Macys.com  was linked to a website that stole customer payment data on the “Checkout” and “My Wallet” pages. The “Checkout” and “My Wallet” pages are the two primary pages used for payment and management of payments. First reported by Bleeping Computer, Macy’s released a letter to customers on Thursday informing them of the breach and offering any consumer affected identity protection services for 12 months.

What Did Macy’s Say? Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: the checkout page – if credit card data was entered and ‘place order’ button was hit; and the wallet page – accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.

What all of that means for you: The information or data taken in the breach included customers’ first and last name, home address, phone number, email address, credit card number used for payments, security code, and expiration date. All of that info was taken only if entered on either of those two Macy’s web pages specifically. According to Business Insider, Macy’s has contacted all customers impacted and offered consumer protection services at no cost. If you’ve recently used either of Macy’s “Checkout” or “My Wallet” pages, watch your credit card and bank statements. The best defense and protection of your data and information is to remain diligent about how it is being used and who can use it.