According to web application security specialists, Macy’s department store has been affected by a data breach that has compromised financial details of multiple store customers. This is the second time in less than two years that the company has suffered a data security incident. According to the Alexa voice assistant ranking, the Macy’s website is one of the most popular in the US.
The company mentions that hackers managed to inject malicious code into its website to extract multiple details, including data such as:
- Full names
- Phone numbers
- Payment card data (including card number, expiration date and security codes)
The incident has already been reported to the California Attorney General’s office.
The data breach would have lasted for one week, from 7 to 15 October last; although the company has not disclosed an exact figure, web application security experts estimate that, given the characteristics of the compromised information and the duration of the attack, there could be thousands of customers affected.
This is the most recent case of attack against a website to extract information about credit cards, a very common data breach variant. Although it is still unknown who is behind the attack on Macy’s, some members of the cybersecurity community attribute this crime to the hacking group Magecart, which features some attacks against high-profile websites in their history, including breaches Data from British Airways, Ticketmaster, Newegg and some health care services companies.
A few months ago, Macy’s revealed that a group of hackers gained access to their networks for a long time, during which they managed to extract payment card information from about 0.5% of the company’s customers. As reported by the International Institute of Cyber Security (IICS) web application security experts, the incident culminated in a class action lawsuit against Macy’s due to its questionable security practices.