Retail giant Macy’s Inc. (NYSE: M) revealed on Tuesday that its e-commerce website, Macys.com, was the victim of a malware attack on October 7. The malware, known as Magecart, installs digital card-skimming software that allows a third party to steal data submitted by Macy’s customers on the wallet or checkout page. The code was removed on October 15, the date the company was notified of a possible breach.
Macy’s did not indicate how many customers may have been affected by the malware attack.
In a letter to customers, Macy’s said that the thieves could have gotten access to the following data: first and last name, address, phone number, email address, payment card number, payment card security code and payment card expiration date “if the values for these items were typed into the webpage while on either the macys.com checkout page or in the MyAccount wallet page.”
The company also noted that customers using a mobile device or the Macy’s mobile app were not affected by this attack.
Macy’s reported the attack to credit card issuers (including Visa, Mastercard, American Express and Discover) and has “quickly” contacted federal law enforcement agencies once the attack was discovered. 24/7 Wall St. has reviewed the states with the most and least identity theft.
In its letter, Macy’s reminded customers that there is “no reason to believe” that the stolen data could be used to open new accounts in their names but that they should let their credit card issuer know that their data may have been stolen. Macy’s will also pay for 12 months of Experian IdentityWorks protection for all customers who may have had their data compromised.
According to a 2018 report from data security firm RiskIQ, Magecart had infected more than 800 e-commerce sites worldwide with its card-skimming software. The software is not placed directly on the e-commerce site but is instead inserted in third-party code that a company like Macy’s then uses to build its own site. Once the skimming software is planted, the code steals the information customers type as it is typed in and sends it back to the Magecart attackers.
The United Kingdom fined British Airways about $230 million following a 2018 Magecart attack that stole data from an estimated 500,000 of the airline’s customers.
Macy’s stock was pummeled following the report, with shares trading down about 10% to $15.27, in a 52-week range of $14.11 to $35.06. The 12-month consensus price target on the stock is $17.71.