Macy’s is notifying customers about a data security incident that might have exposed some of their personal and financial information.

The American department chain store said that it first learned of the incident back in mid-October. At that time, Macy’s security teams launched an investigation into a suspicious connection between and another website. They found that an unauthorized third party had added unapproved code to two of the chain’s web pages: the checkout page and the wallet page, which is accessible via My Accounts.

This code might have exposed customers’ personal and financial information in the event they used Macy’s website to make a purchase or store their payment data. These details might have included customers’ names, email addresses and payment card credentials.

Upon learning of the incident, Macy’s said it contacted federal law enforcement and hired a digital forensics firm to assist its security teams in their investigation. It also reported any and all payment card numbers that the incident might have compromised to their relevant card providers. Finally, it revealed that it implemented measures designed to prevent a similar event from occurring in the future.

In the meantime, Macy’s has also begun notifying and working with affected customers to help them protect themselves following the security incident. As the American department store chain described in its sample “Notice of Data Breach” letter:

We at value our client relationship, appreciate your business and would like to provide as much assistance as we can. Therefore, as an added precaution, we have arranged to have Experian IdentityWorksSM to provide you with its identity protection services for 12 months at no cost to you.

More generally, Macy’s is urging customers to defend themselves against identity theft by regularly reviewing their financial statements for signs of behavior (Read more...)