Hackers stole identity and credit card data from Macys.com’s check out and My Account pages for a week in October.

Department store chain Macy’s Inc. has disclosed that a hacker inserted malicious code on Macys.com that could have stolen customer data entered online from Oct. 7-15.

A “small number of customers” were impacted in that period, a Macy’s spokeswoman tells Digital Commerce 360. The breach impacted shoppers who entered payment information on the checkout or My Account Wallet page on Macys.com, but it did not affect shoppers using the Macy’s mobile app. The potentially stolen data includes a shopper’s full name, address, city, state, ZIP code, phone number, email address, payment card number, payment card security code and card expiration date.

Because that amounts to a large amount of information about an individual, the hackers could use this data to hijack a person’s identity in order to make fraudulent purchases, and for phishing attacks, which can further trick shoppers into giving up more data, says Ray Walsh, data privacy advocate at ProPrivacy.com.

“Consumers who recently made a purchase on the Macy’s website must keep a close eye on their email inboxes,” Walsh says. “If they receive an email that contains their financial data and encourages them to follow a link, or to provide personal information, they must delete the email at once.”

Walsh recommends that impacted customers file a report with the Federal Trade Commissions and place a fraud alert on their credit records. Macy’s is offering to pay for affected customers to receive identity-protection services for a year via Experian IdentityWorks.


Macy’s (No. 5 in the Internet Retailer 2019 Top 500) declined to say how it identified the malicious code or how it got onto its site.

“Our security teams quickly engaged a leading forensic firm to remove the threat,” the spokeswoman says. “Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat.”

With just days before the biggest shopping period of the year around Thanksgiving weekend, the timing of the attack could not have been worse for Macy’s, Walsh says.

A March 2019 survey of 1,000 North American online shoppers from website security firm SiteLock finds that 32% of consumers say they won’t shop with a retailer where they previously had their information stolen. Plus, 56% of shoppers say it will take them a month to return to shop with any retailer after an online data breach, regardless if they were personally impacted. Either way, this is bad news for Macy’s with Black Friday and Cyber Monday on the horizon, says Monique Becenti, channel and product specialist at SiteLock.

“This breach may severely impact Macy’s sales during the biggest shopping season of the year by decreasing customer confidence and trust,” Becenti says.


The breach highlights that even large retailers with ample resources can still be vulnerable to cyber crime, she says. Besides having firewalls and fraud security technology, Becenti recommends for online retailers to ensure their ecommerce platform is up to date and review activity logs on the server to discover any abnormal activity.

Data breaches and fraud are increasing for online retailers. Internet Retailer Magazine’s just-published story, “Retailers adapt to rising fraud rates,” details the most common types of ecommerce fraud and how retailers can minimize losses.