The nation’s largest department store chain has been the victim of an online security breach.
In a letter to customers, Macy’s says that on Oct. 15, 2019, it was alerted to a “suspicious connection” between the macys.com e-commerce site and another site. Based on an internal investigation, Macy’s believes that on Oct. 7, an “unauthorized third party” added malware to the checkout page and wallet page on its e-commerce site.
According to Macy’s, it “quickly contacted” federal law enforcement and brought in an outside forensics firm after launching its internal investigation. The retailer says it has reported payment card numbers believed to have been compromised to Visa, Mastercard, American Express, and Discover. Macy’s has also taken unspecified steps to prevent future Magecart attacks.
While Macy’s says there is “no reason” for customers to believe criminals could open fraudulent accounts in their name using information stolen in the breach, the retailer advises customers to actively monitor their payment card activity and immediately report anything suspicious. Macy’s is also offering customers whose data may have been exposed 12 free months of Experian identity restoration services.
Online cosmetics retailer First Aid Beauty is also reported to have recently been victimized by a Magecart attack.