Upscale retailer Macy’s has reported a breach of its payment system. Macy’s is the latest high-profile victim of the Magecart cyber attack. The attack exposed and unknown number of customer’s personal data including credit card information, addresses, phone numbers and email addresses that was leaked after being entered on a compromised web page.
Macy’s became aware of the breach on October 15th, a week after two specific pages on its site, the checkout page and the wallet page accessed through the users’ accounts, were hacked. Hackers had inserted malicious code into the pages.
Magecart is a credit card fraud technique that skims card numbers in a supply chain attack. Hackers insert malicious JavaScript into third-party software used by retailers in their online checkout systems. Magecart has been previously used to attack British Airways and Ticketmaster and is known to be used by a numerous different threat groups.
Macy’s does not believe that the attack and associated customer information could be used by criminals to open new, fraudulent accounts. However the retailer has offered customers affected by the breach a 12-month subscription to Experian’s IdentityWorks fraud protection service. According to Macy’s all customers impacted by the data breach have been notified but cautioned consumers to monitor their credit card statements for fraud-related activity.