Macy’s Website Hacked, Customers Info and Credit Cards Stolen

Macy’s has announced a data breach caused by card-skimming code that was implanted in the firm’s online payment portal. The company sent a letter to customers saying that is was alerted to the security incident on October 15, and the Macy’s team quickly found that card-skimming script had been injected into two pages on the Macy’s website.

The code, believed to have been injected on October 7, impacted the Macy’s checkout page and wallet page, the latter of which is accessed through the “My Account” facility. In a filing with the California attorney general, the retail giant said hackers siphoned off customers’ names, addresses, and phone numbers, but also credit card numbers, card verification codes, and expiration dates by inserting malicious code on its website and quietly sending the stolen data back to the hackers.

Macy’s said the breach lasted a week, between October 7 and October 15. The retail giant did not say how many customers were affected, but the breach is likely to affect thousands of customers.

Last year, Macy’s admitted a months-long breach that saw hackers steal credit card data and passwords about 0.5% of its customer base — on both its website and Bloomingdale’s site, which Macy’s owns. The breach resulted in a class action suit.