Everything We Know About the Macy’s Data Breach

Everything We Know About the Macy's Breach

Yesterday, major retailer Macy’s announced they suffered a data breach as a result of a Magecart card-skimming code. Macy’s security team first received information on the security incident on October 15; however, hackers may have injected the malicious code around October 7, creating a week of potential compromise. 

The Macy’s breach affected the online Checkout page and the Wallet page—which users access through their Account page. According to a statement from the retailer, the code “allowed the third party to capture information submitted by customers.” 

The potential data compromised in this security incident include full names, physical addresses, ZIP codes, email addresses. Worryingly, it also includes payment card numbers, card security codes, and expiration dates. However, it remains unclear how many customers suffered in the Macy’s breach; in fact, the retailer contends that only a small number of customers suffered from the attack. 

Critically, Macy’s closed the vulnerability and removed the code on the same day they discovered it and contacted law enforcement. Also, they contacted the credit card brands whose customers may have their information exposed in the security event.   

What is a Magecart Attack? 

“Magecart attacks” serves as an umbrella term for several different malware attacks involving card-skimming code implants on legitimate e-commerce domains. Magecart refers to an e-commerce host. 

Usually, a Magecart attack exploits a website or content management system vulnerability. Using unauthorized access, threat actors inject malicious code into the webpages handling financial data. Then, all they have to do is wait; afterward, with payment information in hand, they can harvest it to create clone cards, conduct fraudulent purchases, or sell aggregate information on the Dark Web.      

Therefore, to remediate a Magecart attack, your enterprise must completely remove the malicious code and close the vulnerabilities which allowed it.  

What the Experts Say About the Macy’s Breach

Robert Prigge

Robert Prigge is President of Jumio.

“The Macy’s data breach is concerning for two reasons. First, it released even more personally identifiable information into the dark web including names, emails, addresses and credit card information. This compromised data can be combined with other available information to create a “fullz,” giving criminals everything they need to commit identity theft. 2019 has been a record year for fraud and criminals are splicing together information from disconnected breaches, creating full identity profiles for sale on the dark web. Once a fullz is purchased, cybercriminals exploit the power of bots to automate and perform account takeover (ATO) fraud at scale…If a person uses a password on the originally compromised website, bots can scour the web to find other websites where those same credentials are re-used to perpetrate ATO with relative ease.

Criminals will attempt to weaponize the overwhelming amount of exposed data on the dark web to take over the retail accounts of legitimate consumers or use stolen identity data to commit account registration fraud against online retailers. This highlights the pressing need for retailers—and any company with a digital presence—to adopt biometric authentication solutions to protect their users and online ecosystem from digital identity fraud by verifying a user’s digital identity matches their physical identity.” 

Chris Kennedy

Chris Kennedy is CISO and VP of Customer Success at AttackIQ.

“Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes, and expiration dates. During peak holiday shopping season, companies must continuously validate their security controls to make sure they prove enabled, configured correctly, and operating effectively. What’s more, companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them before they can be exploited by bad actors.” 

How to Learn More

How can you keep an eye out for the kind of Magecart attack which caused the Macy’s breach? Deploying and maintaining a next-generation SIEM solution. Crucially, SIEM solutions can monitor for web vulnerabilities and malicious code injections; also, it can send alerts to your security team upon detecting malicious code and freeze potential security events for investigation. 

Indeed, you can learn more about SIEM solutions in our Buyer’s Guide! We cover the top providers and their key capabilities in detail.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner