Macy’s has confirmed that its web site was hacked with malicious scripts in an attempt to steal customers’ payment information. Macy’s told online publication Bleeping Computer, which first reported on the breach, that only an undisclosed “small” number of customers were affected.
In a letter issued to customers on Nov. 14, Macy’s says that it was alerted to the security incident on Oct. 15 and quickly discovered that card-skimming scripts had been injected into two pages on Macys.com. The code, believed to have been injected on Oct. 7, impacted the Macy’s checkout page and wallet page, the latter of which is accessed through the “My Account” tab. While the code was removed the same day Macy’s was alerted to the problem, customers who have placed orders online or submitted financial details into their wallets may have had their information stolen.
The attackers were able to access detailed personal information, including the customer’s full name and address, phone number, email address, payment card number, payment card security code, and payment card month/year of expiration, if the data was typed on one of the compromised pages.
The move could be problematic for Macy’s as the holiday season gets underway: 56% of shoppers say it will take them nearly a month to return to shopping with any online retailer after a breach occurs, according to research from SiteLock. Additionally, 32% of customers say they wouldn’t continue to shop with a retailer their information was stolen from, indicating that Macy’s will likely have to shore up its security systems, remain fully transparent with shoppers and continue open communication to regain their trust.
As a corrective measure, Macy’s is offering impacted customers one year of free credit monitoring.
Macy’s immediately began an investigation into the breach and contacted federal law enforcement as soon as it suspected a problem, the letter said. A forensics team is assisting with the investigation. The department store also has contacted all relevant credit card brands including Visa, American Express, Discover and Mastercard to notify them of the breach.
The recent wave of e-skimming attacks has grown so widespread — affecting more than 18,000 domains — that the FBI issued a warning about the emerging cyber threat, urging businesses to install sufficient security barriers to protect themselves.