The company received an alert about "a suspicious connection between macys.com and another website" on Oct. 15, which led it to immediately launch an investigation. The data breach notification issued by Macy's says the retailer has shared all of the compromised payment card numbers with Visa, MasterCard, American Express and Discover.
Stolen data potentially includes the following, if they had been entered by a customer while they were on the "My Wallet" or checkout pages: name, full address, phone number, email address, payment card number, card security code and card month/year of expiration. Macy's says only users of its website - but not mobile applications - were at risk.
Bleeping Computer, which first reported on the breach, says that the code planted on Macy's site appears to have involved malicious JavaScript code connected to Magecart. Officials at Macy's declined to quantify the number of breach victims or stolen payment cards, or whether it could confirm if Magecart scripts had been running on its site.
Macy's says it has been directly notifying affected customers via email, advising them to watch their financial statements for signs of fraud, which it notes will be reimbursed by card issuers. It's also offering all victims Experian's IdentityWorks identity fraud monitoring services, prepaid for 12 months.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now