Macy's storefront

A recent Macy’s data breach is creating headaches for lots of its shoppers. There are a lot of different ways a cybercriminal can gain access to sensitive data. Not all of those ways involve highly sophisticated technological know-how. Sometimes it is as simple as finding unsecured information online, stealing someone’s work laptop or sending out a fake email that looks like the real thing in order to get the victim to hand over their data.

However, other forms of attack are something straight out of a cyberthriller. Knowledgeable black-hat hackers with a very specific skill set can inject malicious computer code into the script of a website, channeling activity from that website to any location they choose. Even worse, this is often done without the web owner’s knowledge and can continue on undetected for quite some time.

That is the case with the October 2019 Macy’s data breach. A MageCart attack, in which harmful code was embedded into Macy’s retail website, resulted in the loss of customers’ names, addresses, account numbers, credit card information and other related data points. The code was redirecting all of the information that customers entered to another location without Macy’s permission. Imagine the old home phone lines in which two handsets worked on the same phone number. This attack is just like someone picking up the other extension and listening in on a conversation without the other parties knowing.

The Macy’s data breach was discovered about a week after the code was injected into the company’s site. Macy’s has now issued a notification letter to all affected customers of the Macy’s data breach and has established a free 12-month credit monitoring option for those customers. They have also removed the malicious code and enabled safeguards to prevent further attacks of this kind.

As for the customers, there are some key takeaways from Macy’s data breach. First, the only information the thieves managed to steal was data that would be entered when creating your Macy’s account. No Social Security numbers, for example, or the information that was entered upon checkout. Second, this means that the thieves could have used your stored credit card but not establish new lines of credit or open new credit cards in your name. If you have card not present alerts enabled from your financial institution, you would have been alerted the moment a thief tried to use the card you have stored on the Macy’s website.

For now, customers affected by the Macy’s data breach are encouraged to monitor their account statements carefully for any signs of fraud, sign up for the free credit monitoring if offered and remember to activate the kinds of security measures that will protect you in the event something like this happens again. Card not present alerts and two-factor authentication are just two of the tools that many banks and credit card companies offer in order to keep you safe.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at 888.400.5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.


You might also like…

T-Mobile Data Breach Exposes One Million Prepaid Accounts

Hacked Disney+ Accounts Are Being Sold Online

E-Skimming is a New Cybercrime That is Just in Time for the Holidays