Macy’s holiday breach highlights retailer’s need for encryption and scrutiny of third-party systems

Attackers were collecting user credit card information for an entire week from the Macy’s website before they were alerted. Here’s how retailers can protect themselves.

Strong Black Friday and Cyber Monday sales crush fears of retail apocalypse but not cyber security concerns
The holiday shopping season is off to a record breaking start but analysts are reminding consumers to play it safe online.

Just a few weeks before America spends billions of dollars on Black Friday, Macy’s is facing a PR nightmare after it was forced to notify thousands of customers that their credit card information was sent to cybercriminals during a hack on October 7. 

The billion-dollar retailer, which controls nearly 600 stores across the country, said hackers injected malicious “card-skimming” JavaScript into their ‘Checkout’ and ‘My Wallet’ pages, meaning the credit card information, addresses and names of thousands were recorded on another website that could be accessed by the attackers. 

These types of attacks, called MageCart, are becoming increasingly common as more people open small online businesses and fail to encrypt their sites while recording customer information. Macy’s was only notified of the attack more than seven days later on October 15, meaning thousands of customers spent days handing their information over to criminals who may use it themselves or sell it on the dark web

“On October 15, 2019, we were alerted to a suspicious connection between and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on,” the company wrote in a letter sent out to affected customers earlier this month. 

“The unauthorized code was highly specific and only allowed the third party to capture information submitted by…