Popular retailer Macy's has been hacked. The company provided notice of data breach in a letter to customers.
Macy's notified customers that on October 15, 2019 they found a suspicious connection between macys.com and another website. Based on an investigation, they believe an unauthorized third party added unauthorized computer code to two pages on macys.com. "The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: (1) the checkout page - if credit card data was entered and "place order" button was hit; and (2) the wallet page - accessed through My Account," says Macy's. The unauthorized code was removed on October 15. Macy's says customers checking out or interacting with the My Account wallet page on a mobile device or on the macys.com application were not involved in the data breach.
The type of information involved included:
- First name
- Last name
- Zip code
- Phone number
- Email address
- Payment card number
- Payment card security code
- Payment card month/year of expiration
Macy's noted it has contacted federal law enforcement and brought in a forensic firm to assist in the investigation. In addition, they have reported the relevant payment card numbers to the card brands that may have been affected, such as Visa, Mastercard, American Express and Discover. They also noted they had taken steps they believe "are designed to prevent this type of unauthorized code from being added to macys.com."
Macy's has arranged to have Experian IdentityWorks to provide customers with identity protection services for 12 months at no cost, says the company.