Macy's data breach sees customer payment details stolen

Macy's has revealed its website suffered a security breach for a week in October exposing the personal information of customers including their payment details.

As Bleeping Computer reports, the data breach occurred on macys.com and is known as a Magecart attack. Hackers managed to insert malicious code into Checkout and My Wallet pages of the department store's website, which then proceeded to collect the personal information of customers who used the site.

The malicious code was present on the website from Oct. 7 until Oct. 15, meaning if you shopped there between those dates your personal details were likely stolen. The information collected by an unauthorized third party include first name, last name, address, city, state, zip, phone number, email address, payment card number, security code, and month/year of expiration. In other words, they got everything.

Macy's believes only a "small number of our customers" were impacted by the data breach. Even so, a forensics firm was hired to investigate what happened, law enforcement was notified, and all the major payment card companies were informed of the breach. Customers have been emailed if Macy's believes their data was stolen, with guidance on what action to take if they see anything suspicious with regards to their identity or payment records. Experian IdentityWorks protection is also being offered to affected customers for free for 12 months.

Shopping online continues to be a risk, simply because you are reliant on stores having bulletproof security in place to protect you details. As Macy's proves, this simply isn't the case and therefore its up to consumers to protect themselves, we just need more ways of achieving "at point of payment" protection easily.

Apple recently launched its own payment card with no numbers to type in or reuse. Maybe that needs to be how all credit cards work in future.