Macy’s has reported that the company suffered a data breach in October. In a letter to affected customers, the company explains that a third party added unauthorized code, compromising personal information of online shoppers. The letter states:
On October 15, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, an unauthorized third party added unauthorized computer code to two pages on macys.com. The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages – the checkout page (if credit card data was entered and the “place order” button was hit) and the wallet page accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.
Information potentially accessed include: first and last name, address (city, state, zip) phone number, e-mail address, payment card number, payment card security code, payment card month/year of expiration, if the values for these items were typed into the pages while either on macys.com check out page or in the My Account wallet page.
Customers checking out or interacting with My Account wallet page on mobile or on macys.com mobile app were not affected. Affected customers received 12 months of Experian IdentityWorks.
In regards to online holiday shopping, the Federal Trade Commission reminds shoppers of these three tips: only shop on secure websites with an “https” address, stick to shopping apps that tell you what they do with your data and how they keep it secure and avoid holiday offers that ask you to give financial information – no matter how tempting. They might be trying to steal your identity.
If you are a victim of a data breach, visit identitytheft.gov to report identity theft and get a personal recovery plan.