Macy’s holiday breach highlights retailer’s need for encryption and scrutiny of third-party systems
Attackers were collecting user credit card information for an entire week from the Macy’s website before they were alerted. Here’s how retailers can protect themselves.
Just a few weeks before America spends billions of dollars on Black Friday, Macy’s is facing a PR nightmare after it was forced to notify thousands of customers that their credit card information was sent to cybercriminals during a hack on October 7.
These types of attacks, called MageCart, are becoming increasingly common as more people open small online businesses and fail to encrypt their sites while recording customer information. Macy’s was only notified of the attack more than seven days later on October 15, meaning thousands of customers spent days handing their information over to criminals who may use it themselves or sell it on the dark web.
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com,” the company wrote in a letter sent out to affected customers earlier this month.
“The unauthorized code was highly specific and only allowed the third party to capture information submitted by…