According to web application security specialists, Macy’s department store has been affected by a data breach that has compromised financial details of multiple store customers. This is the second time in less than two years that the company has suffered a data security incident. According to the Alexa voice assistant ranking, the Macy’s website is one of the most popular in the US.
The company mentions that hackers managed to inject malicious code into its website to extract multiple details, including data such as:
- Full
names - Addresses
- Phone
numbers - Payment
card data (including card number, expiration date and security codes)
The incident has already been reported to the
California Attorney General’s office.
The data breach would have lasted for one week,
from 7 to 15 October last; although the company has not disclosed an exact
figure, web application security experts estimate that, given the
characteristics of the compromised information and the duration of the attack,
there could be thousands of customers affected.
This is the most recent case of attack against
a website to extract information about credit cards, a very common data breach
variant. Although it is still unknown who is behind the attack on Macy’s, some
members of the cybersecurity community attribute this crime to the hacking
group Magecart,
which features some attacks against high-profile websites in their history,
including breaches Data from British Airways, Ticketmaster, Newegg and some
health care services companies.
A few months ago, Macy’s revealed that a group
of hackers gained access to their networks for a long time, during which they
managed to extract payment card information from about 0.5% of the company’s
customers. As reported by the International Institute of Cyber Security (IICS)
web application security experts, the incident culminated in a class action
lawsuit against Macy’s due to its questionable security practices.
