Macy’s Customer data has been hijacked by hackers according to a notice posted by the company. The information posted reveals details about the security incident reveals that soon after the automated security systems detected the malicious user their accounts have been blocked. However Macy’s customer data may have been obtained by the criminal.
Here’s What We Know Macy’s Customer Data Breach
Macy’s published a Notice of Data Breach message giving details on the latest hacker intrusion — the hijacking of their company’s customer data. The document gives on details on the currently known information about the Macy’s customer data breach.
The notification reads that on June 11 2018 their automated cybersecurity software reported suspicious login activities that were related to certain online profiles on their online shop. This is the first reported instance of the hacker’s intrusion wherein they used valid combinations of usernames and passwords. Following this trigger a security investigation concluded that the login attempts were not done by the users, they are attributed to a malicious actor.
The origins of the harvested account profiles has resulted into an analysis of all prior login attempts. The security team reports that it is believed that between approximately April 26 and June 12 the hacker or criminal group behind the customer data breach have logged in to the systems. It is believed that the credentials were obtained from sources other than Macy’s systems as no vulnerabilities in their servers have been identified.
The login attempts resulted in the customer data hijacking of personal data stored in Macy’s systems. This includes the following:
- First and Last Name.
- Full Address.
- Phone Number.
- Email Address.
- Birthday (Month & Day only).
- Debit/Credit Card Number.
- Debit/Credit Card Expiration Dates.
The Macy’s breach notification message specifies that their server does not store the Credit Verification Values (CVV) or the customer’s social security numbers. Without the CVV code online payments cannot be made. At the moment there is no information about the malicious actor’s identity, it may be a single hacker or a criminal group.
The announcement of the data has prompted the security team to report the relevant payment card details to the banks and issuing organizations.
Other measures that have been taken are the addition of new security rules that are implemented in the customer logins systems. In addition the company is making certain AllClear ID identity protection available to the affected users.
Email notifications to the affected account users have been sent. The notification message can be accessed here.