Macy's on Tuesday confirmed it had suffered a "highly sophisticated and targeted data security incident related to macys.com that affected a small number of customers during a one-week period in October," according to an email to Retail Dive from a company spokesperson.
The leaked information potentially includes customer first and last names, addresses, phone numbers, and payment card numbers, security codes and expiration dates, and didn't affect mobile transactions, according to a notice with California attorney general. The Macy's spokesperson didn't immediately respond to Retail Dive's question regarding how many customers were affected, but California law requires the notification of any breach that affects 500 people or more.
"Our security teams quickly engaged a leading forensic firm to remove the threat," the Macy's statement also said. "Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat. Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost. Security and privacy remain our priority." Macy's and Macy's-owned Bloomingdale's last year suffered a similar breach.
The holidays are the season not only for good cheer, but also for data hacks like these.
Macy's revelation comes at a touchy moment for the retailer, which needs a healthy performance in the final quarter. Investors were already a little gloomy about those prospects on Tuesday after a tepid third quarter report from Kohl's indicated further trouble for a department sector on the wane. Macy's shares were down late in the day.
It's a blow to customer trust that comes at a particularly inopportune, and vulnerable, time. More than half of shoppers say it takes them a month or so to shop again with a retailer that has a breach, so "Macy's may be missing half their customers this Black Friday/Cyber Monday," website security firm SiteLock said in emailed comments.
A third of customers directly affected by a breach never return, and, overall, two thirds of consumers are wary of their personal information getting stolen when they shop online, according to SiteLock.
The Macy's breach went undetected long enough to cause real problems, according to Anurag Kahol, CTO of cloud security firm Bitglass.
"Unfortunately, when malicious parties compromise payment card information and personally identifiable information (PII), they can make fraudulent purchases, sell said data on the dark, and much more," he told Retail Dive in an email. "The sensitive data was left vulnerable for over a week before Macy's discovered the leak. Organizations must have complete visibility and control over their data to put them in a better position this holiday season, and year round, to identify and remediate vulnerabilities that could be exploited by malicious actors."
While Macy's wouldn't say just how many people were affected, a breach undetected for a week "can result in many thousands of compromised credit cards," according to emailed comments from Jarrod Overson, Director of Engineering at attack and fraud prevention company Shape Security. Macy's likely failed to implement security features available through web browsers, he said. Although it's not clear whether that would have prevented the attack, it may have alerted the retailer to it in a more timely manner, Overson also noted.
The breach could get expensive for Macy's, in light of strict data protection regulations enacted in California and elsewhere, according to Bitglass's Kahol. He noted that California regulations coming into effect in January set fines "not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater."