American
department store chain Macy’s has suffered an embarrassing data breach, leaving
hackers with access to customers’ personal and financial information, including
credit card numbers and even card security codes.
In a letter
to affected customers, Macy’s reveals that an unknown cybercriminal or group of
hackers targeted macys.com with malicious code placed strategically at the
checkout page and My Account wallet page to grab credit card information for
fraud.
The company
noticed suspicious activity on October 15 and started an investigation. It then
learned the hack had occurred on October 7, giving attackers eight days to steal
personal and financial data to carry out fraud and identity theft.
According to the notice, cybercriminals “potentially” accessed customers’ first name, last name, address, phone number, email address, and payment card number, security code and expiration date, as well as other values typed into the webpage while on the macys.com checkout page or the My Account wallet page.
“Customers
checking out or interacting with the My Account wallet page on a mobile device
or on the macys.com mobile application were not involved in this incident,”
Macy’s said.
In a bid to
protect customers against phishing scams leveraging this stolen data, the
company underscores that it will never ask customers to provide their macys.com
password or security question answers by phone, email, or text.
In
traditional data-breach fashion, Macy’s will foot the bill for a year’s worth
of credit card monitoring for all affected customers. The company also instructs
customers to “remain vigilant for incidents of financial fraud and identity
theft by regularly reviewing your account statements and immediately reporting
any suspicious activity to your card issuer.”
Customers
can also contact their card issuer and inform them of the macys.com breach, as
well as ask for appropriate steps to protect their account.