US department store Macy's the latest company to be compromised in Magecart attack
Macy's claims that it discovered the Magecart compromise of its payment pages within seven days
Payment card details of a number of Macy's customers were stolen after hackers injected the company's website with malicious scripts in a Magecart attack.
The iconic US department store chain says it was alerted to the data breach on 15 October 2019. An initial investigation revealed that the company website, Macys.com, was inappropriately communicating with some remote website under the control of a hacking group.
The attack likely happened on 7th October 2019, according to Macy's, with an unauthorised third party adding malicious script on two web pages - the 'Checkout' page and 'My Wallet' page - enabling the attackers to eavesdrop on sensitive information submitted on those pages.
Only a small number of customers were affected by the data breach, the company claimed
The Checkout page conveyed information to hackers when a customer entered credit card details and hit the "place order" button.
Similarly, the My Wallet page also provided customers' private details, including their name, address, city, state, email address, phone number, debit/credit card number, card's security code, and more.
The malicious script on the website was removed on 15th October 2019.
After that, Macy's informed law enforcement agencies, as well as credit card issuers.
Only a small number of customers were affected by the data breach, the company claimed. It added that they have been notified about the incident. The affected customers have been advised to monitor their payment card statements for any signs of fraudulent activity.
"There is no reason to believe that this incident could be used by cyber criminals to open new accounts in your name," the company added in its 'Notice of Data Breach'.
"Nonetheless, you should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer."
The company is offering a free year of the Experian IdentityWorks credit monitoring service to affected users.
Macy's also stated that it has thoroughly investigated the matter and taken appropriate security measures to ensure that such incidents should not be repeated in future.
A few months back, cyber security firm Malwarebytes warned ecommerce companies of a summer surge in activity by web-skimming Magecart gangs, targeting organisations' online payments systems.
The firm claimed that it had blocked 65,000 web-skimming Magecart data theft attempts in July alone.
Earlier in July, security researches warned that the skimmer code by Magecart payment-system hackers has already infected more than 17,000 websites worldwide.
And in May, security researchers at Malwarebytes uncovered a new rogue iFrame phishing technique that was being used by attackers to target online payments.