Macy’s Suffers Online Magecart Card-Skimming Attack, Data Breach
Macy's has announced a data breach caused by Magecart card-skimming code being implanted in the retailer's online payment portal. In a letter issued to customers, Macy's says that it was alerted to the security incident on Oct. 15, and it quickly found that card-skimming script had been injected into two pages on its website. The code, believed to have been injected on Oct. 7, impacted Macy's checkout page and wallet page, the latter of which is accessed through the "My Account" facility. While the code was removed on the same day Macy's was alerted to the problem, customers that have placed orders online or submitted financial details into their wallets may have had their information stolen. This data includes first and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes, and expiration dates.
Total Retail's Take: Retailers must be continually vigilant about their cyber and data security practices, as cybercriminals are looking to target the industry in growing numbers. In the case of Macy's, it's likely that a vulnerability in its website or back-end content management system enabled a cybercriminal to implant card-skimming malware.
"MageCart isn't a mystery," says Colin Bastable, CEO of security awareness training company Lucy Security. "By now, one might think that ‘additional security measures’ would be added to all websites as a matter of course before hackers drop in some malicious code. That is, surely, the definition of a precaution. Macy’s has implemented what should be described as a security post-caution.
"For consumers, ’tis the season to be robbed online. Don’t be fooled by that secure SSL padlock, nor by your browser trusting a website’s ‘secure’ https: prefix. Between now and the New Year’s sales, hundreds of millions of dollars will be up for grabs by online hackers. The credit card companies have already built in the losses as a cost of doing business.”
This breach couldn't come at a worse time for Macy's, a week before Black Friday and Cyber Monday weekend and the start of the holiday shopping season. Consider the following research from SiteLock, which detail the impact that a data breach has on consumer trust and willingness to shop with an affected retailer:
- The majority of consumers (56 percent) say it will take them about a month to return to shopping with any online retailer after a breach — i.e., Macy’s may be missing half their customers this Black Friday and Cyber Monday.
- Nearly one-third (32 percent) of customers do not continue to shop with the retailer their information was stolen from.
- Two-thirds (66 percent) of consumers are concerned about their personal data being stolen as a result of shopping online.