SBN checkout page hacked; customers advised to be vigilant of fraud

American department store chain Macy’s has suffered an embarrassing data breach where hackers gained access to customers’ personal and financial information, including credit card numbers and even card security codes.

In a letter to affected customers, Macy’s reveals that an unknown cybercriminal or group of hackers targeted with malicious code placed strategically at the checkout page and My Account wallet page in order to grab credit card information usable for fraud.

The company noticed suspicious activity on October 15 and started an investigation. It then learned the hack had occurred more than a week earlier, on October 7, giving attackers plenty of time to exfiltrate enough personal and financial data to be used in fraud and identity theft.

According to the notice, cybercriminals “potentially” accessed customers’: First Name; Last Name; Address; City; State; Zip; Phone Number; Email Address; Payment Card Number; Payment Card Security Code; Payment Card Month/Year of Expiration if the values for these items were typed into the webpage while on either the checkout page or in the My Account wallet page.

“Customers checking out or interacting with the My Account wallet page on a mobile device or on the mobile application were not involved in this incident,” Macy’s said.

In a bid to protect customers against phishing scams leveraging this new data breach, the company underscores that it will never ask customers to provide their password or security question answers by phone, email, or text.

In traditional data-breach fashion, Macy’s takes it upon itself to foot the  bill for one year’s worth of credit card monitoring for all affected customers. The company also instructs customers to “remain vigilant for incidents of financial fraud and identity theft by regularly reviewing your account statements and immediately reporting any suspicious activity to your card issuer.”

Customers can also contact their card issuer and inform them of the breach, as well as ask for appropriate steps to protect their account.

*** This is a Security Bloggers Network syndicated blog from HOTforSecurity authored by Filip Truta. Read the original post at: