US DEPARTMENT STORE Macy's has fallen victim to a Magecart attack that saw customers' payment card details stolen.
Macy's says it was alerted to the data breach on 15 October 2019. An initial investigation revealed that the company website, Macys.com, was inappropriately communicating with some remote website under the control of a hacking group.
The attack likely happened on 7 October 2019, according to Macy's, with an unauthorised third party adding malicious script on two web pages - the 'Checkout' and 'My Wallet' pages - enabling attackers to eavesdrop on sensitive information.
The Checkout page conveyed information to hackers when a customer entered credit card details and hit the "place order" button.
Similarly, the My Wallet page provided customers' private details, including their name, address, city, state, email address, phone number, debit/credit card number, card's security code, and more.
The malicious script on the website was removed on 15 October 2019. After that, Macy's informed law enforcement agencies, as well as credit card issuers.
Only a small number of customers were affected by the data breach, the company claimed. Those affected have been advised to monitor their payment card statements for any signs of fraudulent activity.
"There is no reason to believe that this incident could be used by cyber criminals to open new accounts in your name," the company added in its 'Notice of Data Breach'.
"Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer."
The company is offering a free year of the Experian IdentityWorks credit monitoring service to affected users.
Macy's also stated that it has thoroughly investigated the matter and taken appropriate security measures to ensure that such incidents should not be repeated in future.
A few months back, cybersecurity firm Malwarebytes warned e-commerce companies of a summer surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems. The firm claimed that it had blocked 65,000 web-skimming Magecart data theft attempts in July alone. µ
Firm's first high-end speaker gets the thumbs up from us
Yes. Yes you can
A fantastic ultraportable that's almost devoid of innovation
Screen if you want to go faster