Hackers accessed macys.com’s “Checkout” and “My Wallet” pages early last month and added malicious script to lift shoppers’ personal information, such as credit card data, then send it to a remote site.
The company discovered the Oct. 7 hack on Oct. 15 when it observed “a suspicious connection” between macys.com and the remote website, the company said in a Notice of Data Breach.
The hackers potentially accessed names, addresses, email addresses and payment information such as credit card numbers, security codes and expiration dates. the company said it has taken steps to secure its website, including excising the malicious code and notifying financial institutions.
“MageCart is not a mystery, by now, one might think that ‘additional security measures’ would be added to all websites as a matter of course, before hackers drop in some malicious code,” said Colin Bastable, CEO Lucy Security, “That is, surely, the definition of a precaution. Macy’s has implemented what should be described as a security postcaution.”
Noting that “every cloud has a silver lining” with Macy’s having “so few online customers buying from their website that ‘only a small amount of customers were affected,’” Bastable said, “the hackers will not be too disappointed that they only infected two pages on macys.com, given that those were the checkout and wallet pages.”
