Macy’s Data Breach Will Have Aftershocks As Well
‘Tis the season to be wary. That is the very unfestive truth, at least for this year it seems, as department store Macy’s has warned that web skimmer malware was discovered on the Macys.com website last month, collecting a small number customers’ payment card information. The attack has been linked to Magecart, an umbrella group made up of various cybercriminal affiliates that is known for injecting payment card skimmers into ecommerce websites.
Macy’s sent out a data breach notice to their customers that stated, in part, “An unauthorized third party added unauthorized computer code to Macys.com on Oct. 7. The code, which was discovered and removed on Oct. 15, was collecting customers’ first and last names, addresses, phone numbers and email addresses, payment card information including number, security code, and expiration dates.”
The retail giant added that they felt there was no reason to believe that the incident could be used by cybercriminals to open new accounts in the affected customer’s names. The statement continued, “Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately report any suspicious activity to your card issuer.”
Dealerscope spoke to noted cyber security expert Ray Walsh at ProPrivacy.com, who talked about cyber aftershocks consumers need to be aware of.
“Revelations that card skimming software has been injected into Macy's checkout and wallet pages is a massive cause for concern. Malevolent card skimming software is designed to steal people's card details as they enter them to pay for goods, and means that anybody who used the checkout or wallet pages of Macy's websites could potentially have had their sensitive card details stolen.” Walsh warned. “The timing of this attack couldn't have come at a worse time for Macy's, who were surely hoping to cash-in as the US' favorite thanksgiving retailer.”
Walsh added that any consumes who think they may have been victimized need to be aware that they could potentially be targeted with phishing emails designed to make them hand over further sensitive information.
“Consumers who recently made a purchase on the Macy's website must keep a close eye on their email inboxes. If they receive an email that contains their financial data and encourages them to follow a link, or to provide personal information; they must delete the email at once,” Walsh added.
Walsh also explained that affected consumers should file a report with the Federal Trade Commission by calling the FTC Identity Theft Hotline, and additionally contact one of the three major credit bureaus to place a fraud alert on their credit records.