‘A small number’ of Macys.com and Bloomingdales.com shoppers were involved in a data security incident, the retail chain said.

Macy’s Inc.’s e-commerce site suffered a data security breach between April 26-June 12 that allowed criminals access to credit and debit card information, names and birthdays of “a small number” of Macys.com and Bloomingdales.com customers.

“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” a Macy’s spokeswoman tells Internet Retailer. “Macy’s Inc. will provide consumer protection services at no cost to those customers.”

Macy’s has contacted the “potentially impacted customers,” the spokeswoman says.

This is the second time this month a large retailer suffered an e-commerce data breach, as Adidas AG, No. 61 in the Internet Retailer 2018 Top 1000, alerted shoppers last week of leaked data, including contact information, usernames and encrypted passwords. Macy’s is No. 6 in the Top 1000.

The login credentials that the criminals used to steal the customer information were not obtained from Macys.com. Macy’s could not give further details.


It’s difficult to say how the Macy’s security breach happened, as there are so many different touch points on a database and network, says Don Bush, vice president of marketing at fraud prevention services provider Kount.

“People need to understand the complexity and sophistication of the criminals out there that are doing these types of things,” Bush says. “Macy’s has to meet these regulations and compliance and all these standards and fraudsters don’t. [Criminals] come in with guns a-blazing, so to speak and look for any weakness inside Macy’s network, third party or an errant employee.”

It is likely that a top retailer like Macy’s has a robust fraud prevention system in place. However, it could be that any of the vendors it uses that has access to customer data does not have the proper prevention systems.

Data breaches are only going to increase and become “more of an everyday occurrence,” Bush says. With stores adopting point-of-sale systems using the more secure EMV payment systems, fraudulent online transactions are increasing, he says.


“These fraudsters—when one method stops working, they don’t give up, they move on,” Bush says. “They don’t retire.”

Online retailers should ensure that the fraud prevention technology they use takes into account not only customer data—like usernames and passwords—but also behavioral data, Bush says. For example, if the credentials a shopper is using for payment is for a Texas-based shopper, but the IP address for the device shopper is using is in the Ukraine, a retailer’s system should flag that transaction as potentially fraudulent.