checkout page hacked; customers advised to be vigilant of fraud

department store chain Macy’s has suffered an embarrassing data breach where
hackers gained access to customers’ personal and financial information,
including credit card numbers and even card security codes.

In a letter
to affected customers, Macy’s reveals that an unknown cybercriminal or group of
hackers targeted with malicious code placed strategically at the
checkout page and My Account wallet page in order to grab credit card
information usable for fraud.

The company noticed
suspicious activity on October 15 and started an investigation. It then learned
the hack had occurred more than a week earlier, on October 7, giving attackers
plenty of time to exfiltrate enough personal and financial data to be used in
fraud and identity theft.

According to the notice, cybercriminals “potentially” accessed customers’: First Name; Last Name; Address; City; State; Zip; Phone Number; Email Address; Payment Card Number; Payment Card Security Code; Payment Card Month/Year of Expiration if the values for these items were typed into the webpage while on either the checkout page or in the My Account wallet page.

checking out or interacting with the My Account wallet page on a mobile device
or on the mobile application were not involved in this incident,”
Macy’s said.

In a bid to
protect customers against phishing scams leveraging this new data breach, the
company underscores that it will never ask customers to provide their
password or security question answers by phone, email, or text.

traditional data-breach fashion, Macy’s takes it upon itself to foot the  bill for one year’s worth of credit card
monitoring for all affected customers. The company also instructs customers to “remain
vigilant for incidents of financial fraud and identity theft by regularly
reviewing your account statements and immediately reporting any suspicious
activity to your card issuer.”

Customers can
also contact their card issuer and inform them of the breach, as well
as ask for appropriate steps to protect their account.