Macy’s has written to customers that have been affected by a data breach, just ahead of its Q3 earnings and the Black Friday shopping season.
In a letter dated November 14, the company said: “On behalf of Macy’s, we are writing to inform you about a recent incident involving unauthorized access to personal information about you on macys.com.”
The letter goes on to say that on October 15, 2019, the company was made aware of a suspicious connection between the domain macys.com and another website.
“Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages,” the company said. These were the checkout page and the wallet page.
What Information Was Stolen From Macy’s?
While the code was removed on October 15, 2019, according to the company, the following information potentially could have been accessed:
Payment Card Number
Payment Card Security Code
Payment Card Month/Year of Expiration
Macy’s has confirmed that “customers checking out or interacting with the My Account wallet page on a mobile device or on the macys.com mobile application” were not affected.
What is Magecart?
According to ZDNet, this was a “Magecart” attack. RiskIQ explains that Magecart is a cybercrime syndicate that specialize in digital credit card theft.
Other companies that have fallen foul to this type of breach are Ticketmaster and British Airways, according to the security company.
How Can You Find Out Whether You Were Affected By the Macy’s Data Breach?
According to Macy’s, there are number of ways customers can ascertain whether they’ve been affected:
Customers should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing account statements and immediately report any suspicious activity to their card issuer.
Contact their card issuer to inform them that their card information may have been compromised. Your card issuer can suggest appropriate steps to protect your account.
Macy’s has added a precaution to help customers protect themselves. It has arranged to have Experian IdentityWorksSM provide identity protection services for 12 months at no cost to affected customers. The activation code for these services is unique to each customer.
Experian can also help customers who believe fraudulent use of their information took place as a result of the data breach incident with the following:
Helping with contacting creditors to dispute charges and close accounts.
Assisting in placing a freeze on customer’s credit file with the three major credit bureaus.
Assisting with contacting government agencies to help restore identity.
Macy’s also encourages its customers to activate the “fraud detection tools” available through Experian IdentityWorks, which is complimentary for 12 months. This product provides identity detection and resolution of identity theft. Customers need to follow the steps below, according to Macy’s:
Ensure that you enroll by November 30, 2020, as the activation code will not work after this date.
Customers can also contact Experian’s customer care team on 855-557-2999 by November 30, 2020, for assistance.
Macy’s also reminds its customers that a credit card will not be required for enrollment to Experian IdentityWorks.
“We are aware of a highly sophisticated and targeted data security incident related to macys.com that affected a small number of customers during a one-week period in October,” a spokesperson from Macy’s told Newsweek. “Our security teams quickly engaged a leading forensic firm to remove the threat.
“Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat. Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost. Security and privacy remain our priority.”
This article was updated to include a statement from Macy’s.