Fashion retailing giant Macy’s has issued an advisory to customers that its website servers have been breached by hackers. The attack was initiated on October 7, and the company was notified about it on October 15.
Macy’s claims the attackers allegedly inserted an obfuscated script into the Checkout and My Wallet pages of the company’s shopping website and skimmed data as it was submitted.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two (2) pages on [the Macy’s website].”
As to the data that was leaked, the company’s notice said hackers obtained full names and addresses. More importantly, the attackers also had access to payment card numbers, along with their associated security codes and expiration dates. However, the company does not believe the data will be used for identity theft.
“There is no reason to believe that this incident could be used by cybercriminals to open new accounts in your name,” the company told customers downplaying the severity of the attack. It wisely added, “Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer.”
The way the hack worked is an inserted script on the compromised pages redirected traffic to a third-party server where the payment data was intercepted. This is known as a MageCart attack, named after the consortium of hackers that have used this technique to breach more than 17,000 other websites, including Newegg, Quest Diagnostics, and British Airways.
Since this method only skims data as it is submitted to the targeted website, not all customers were affected. Only those who visited and attempted to make purchases during the attack are at risk, which Macy’s claims is only a small number of its customers.
“We are aware of a data security incident involving a small number of our customers on [the website],” a Macy’s spokesperson told BleepingComputer, who broke the story. “We have investigated the matter thoroughly, addressed the cause, and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”
As soon as the company found out there had been customer data leaked, it contacted federal law enforcement authorities and employed “a leading class forensics firm” to help with the internal investigation. It has also sent out notifications to affected parties letting them know what they can do.
The only good thing about this incident is that, unlike a database breach, these pieces of data could only be stolen if the customer put them in the compromised pages. Unfortunately, those pages were the checkout page and the user Wallet page. Still, Macy’s claims that only a small percentage of its customers were affected and have already initiated countermeasures, including offering credit card monitoring for affected customers.