Nightmare Before Thanksgiving: The Macy’s Data Breach

All posts

Thanksgiving Day is usually a highlight of the year for retailer Macy’s, but this year a slight pall will be cast over the brand’s big Thanksgiving Day Parade. The normal air of holiday jubilation will be paired with some stiff headaches for the parade’s namesake sponsor, all due to a security incident affecting

Macy's revealed the breach of its website took place over one week in October, calling the attack “highly sophisticated” and “targeted.” Hackers swiped information on some customers as they shopped online, according to the retailer. Exposed information included name, address, phone number, email address, and credit card number, expiration date, and security code.

This is not the first time Macy's has been targeted by cyberthieves. Accounts belonging to thousands of the retailer's online customers were compromised in an incident just last year as well.

As if the holiday timing wasn’t bad enough, the company revealed the breach just ahead of its Q3 earnings call. Macy's shares fell nearly 11% the day after the news of the data breach first surfaced.

What Happened

The Cincinnati-based retailer notified customers about the breach in a letter, saying that Macy's had been alerted to a "suspicious connection" between its e-commerce platform and another website on October 15. 

"Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two pages on The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two pages," the company said. The two pages were the checkout page and the wallet page on; the mobile app was not affected.

The unauthorized third party is believed to be affiliated with the Magecart cybercrime syndicate. The Magecart scheme is to gain access to websites either directly or via third-party services and use malicious JavaScript to steal the data shoppers enter into online payment forms on checkout pages. Other companies that have fallen prey to this form of attack are Ticketmaster and British Airways.

The Macy’s Cleanup

In its emailed statement to customers, Macy’s said affected individuals will be offered free consumer protection services. It declined to say how many were actually affected, only saying it was a “small number.”

"Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost," the company said.

"Our security teams quickly engaged a leading forensic firm to remove the threat. Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat. Security and privacy remain our priority."

Speed is King

To its credit, the retailer acted swiftly and decisively to address the breach and take appropriate actions. Acting with urgency is one of the top six things companies can do today to prepare for a data breach before it happens.

For any company—retail or otherwise—the best plan is to prepare for a data breach as if it’s going to happen. Putting controls in place, preparing breach response plans, automating processes, and keeping key personnel up-to-date before a breach occurs are monumental undertakings. LogicGate’s IT Security Management software can help you stay on top of the checks-and-balances that keep your company on the right track and out of the headlines. LogicGate’s automated system will help you manage your company’s cybersecurity standards, significantly reducing the risk of breaches and reputational damage.

All posts

Related Posts

View all posts