In October 2019, the U.S. retailer quietly disclosed that it had discovered malicious authorized third-party code on Macys.com, collecting the personal information of customers as they checked out on payment pages. The breach lasted between October 7th until October 15th and compromised the personal information of every person who made a purchase during that time.
Magecart continues to threaten online websites
The attack appears to be the work of Magecart — a web skimming cybercriminal syndicate that has made headlines this year for attacking some of the largest websites on the internet.
Magecart attacks have been disclosed at Ticketmaster, British Airways, and Newegg — and earlier in the year, it was reported that Magecart skimming code has been spotted on over 2 million websites and has compromised at least 18,000 domains.
While Magecart attacks typically focus on collecting payment details like credit card numbers or security codes, web skimming or e-skimming attacks can be used to steal any personal information that is being entered into a website. This means any website that collects valuable private data, such as online banking credentials or social security numbers, are likely targets for an attack — meaning most businesses with an online presence are at risk.
Blindness in the browser translates to e-skimming success
In most cases, Magecart skimmers are only discovered after they have been placed and customer data has been stolen since most companies lack the browser-level protection that would enable them to prevent data from being exfiltrated if a script is compromised. In other words, web security teams are fighting a losing battle — these attacks are difficult to detect and there is nothing to stop the breach from happening once they are infected.
Web skimming protection is essential to mitigating risk
As web skimming attacks like Magecart continue to grow in popularity for hackers, organizations must take responsibility for the customer information they collect and ensure they are taking all the necessary steps to reduce risk and keep personal data is safe.
Learn more about what went wrong for Macy’s and why web skimming protection in the browser is the only way to protect customer data.
*** This is a Security Bloggers Network syndicated blog from Instart blog RSS authored by Jon Wallace. Read the original post at: https://www.instart.com/blog/macys-data-breach-magecart