This week, major U.S. department store chain Macy’s revealed that they were targeted by a malicious online cyber attack that attempted to steal the payment information of their customers.
The macys.com website became infected on October 7 with what they’re only referring to as “unauthorized code” on their “My Wallet” and “Checkout” pages. This allowed the cyber thieves to capture credit card data from unaware customers attempting to use either of those two pages. Macy’s has stated that it wasn’t until a whole week after the site was compromised, on the 15th of October, that they became alerted to the breach.
The information that the attackers were able to access included detailed personal information, such as the customers’ full names and addresses, email addresses, their phone numbers, and financial information such as credit card numbers, credit card security codes, and the card expiration details of those that typed the information into one of the pages that had been compromised.
In a statement released by Macy’s, they have confirmed that they are investigating the incident while adding that they have taken preventative steps that will hopefully go some way in avoiding this sort of situation happening again in the future. In addition, Macy’s has insisted that it was only a small amount of their macys.com customers who were affected by the hack and they will be providing any customers who were affected one year of credit monitoring for free.
In another statement released by a Macy’s spokesperson, they said the following: “We are aware of a data security incident involving a small number of our customers on Macys.com. We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”
First spotted around 2010, intrusions such as this – known as Magecart attacks due to the preference of attackers to target Magento e-commerce platforms – have seen a sudden upsurge over the past two years. Magecart attacks typically involve attackers compromising the legitimate online store of a company in order to siphon customers’ account details and credit card numbers while making purchases by placing malicious JavaScript skimmers on payment forms.
Cybersecurity firm RiskIQ recently published a report on the Magecart cyber thieves in which they stated the following: “Magecart is a rapidly growing cybercrime syndicate comprised of dozens of subgroups that specialize in cyber attacks involving digital credit card theft.”
E-skimming attacks have become so widespread in recent years that over 18,000 domains have been affected, and the FBI has had to issue a warning to businesses cautioning them of the cyber threat and urging that they have sufficient barriers put in place to ensure that they are fully protected should an attack occur. Methods such as keeping software up to date, segregating critical network infrastructure, enabling multi-factor authentication and keeping an eye out for phishing attacks have all been suggested by the FBI in their warning.
And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.
