Another retail breach as Malware attack manipulates Macy’s site

Dan Berthiaume
Senior Editor, Technology
Dan Berthiaume profile picture
security breach concept

The nation’s largest department store chain has been the victim of an online security breach.

In a letter to customers, Macy’s says that on Oct. 15, 2019, it was alerted to a “suspicious connection” between the e-commerce site and another site. Based on an internal investigation, Macy’s believes that on Oct. 7, an “unauthorized third party” added malware to the checkout page and wallet page on its e-commerce site.

The malware enabled unauthorized access to personal and financial data shoppers entered on these two pages, including payment card information for completed orders as well as customer first and last names, street addresses, and email addresses. This breach appears to be a “Magecart” attack, an increasingly popular form of cyberattack where hackers install JavaScript on a legitimate e-commerce site to collect card data every time a customer makes a purchase. Data from mobile customers was not compromised as part of this breach.

According to Macy’s, it “quickly contacted” federal law enforcement and brought in an outside forensics firm after launching its internal investigation. The retailer says it has reported payment card numbers believed to have been compromised to Visa, Mastercard, American Express, and Discover. Macy’s has also taken unspecified steps to prevent future Magecart attacks.

While Macy’s says there is “no reason” for customers to believe criminals could open fraudulent accounts in their name using information stolen in the breach, the retailer advises customers to actively monitor their payment card activity and immediately report anything suspicious. Macy’s is also offering customers whose data may have been exposed 12 free months of Experian identity restoration services. 

Online cosmetics retailer First Aid Beauty is also reported to have recently been victimized by a Magecart attack.