Macy’s has revealed customer data could have been breached on both Macys.com and Bloomingdales.com, with the number of accounts affected unclear.
Macy’s reportedly sent a notice to its online customers on June 27, warning consumers of a possible data breach on its e-commerce platform. According to the department store retailer, the security incident involved “unauthorized access to personal information” between late April and mid-June.
“On June 11, 2018, our security suite alerted us to a spike in anomalous login activities on Macys.com and Bloomingdales.com,” CPO and VP of Enterprise and Information Management at Macy’s, Michael McCullogh wrote in a note to the Attorney-General.
“Our investigation showed that beginning on or about April 26, 2018, through our remediation on June 12, the attacker used valid user credentials (usernames and passwords) to login to some online profiles.”
While Macy’s has not disclosed how many customers have been affected by the breach, it did say in a statement to SC Media on Tuesday that only “a small number of customers at Macys.com and Bloomingdales.com” have been impacted.
The hackers reportedly gained access to customers’ first and last names, full addresses, phone numbers, email addresses, birthdays and credit card numbers with expiration dates.
After being notified of the breach, Macy’s opened an investigation and says it blocked the affected customer accounts until passwords could be updated.
In its statement, the company said it believes the user credentials the attackers used to gain access to the customer accounts were obtained “from a source other than Macy’s”.
Since announcing the attack, Macy’s claims to have increased its security measures.
“We have addressed the cause [of the breach] and, as a precaution, have implemented additional security measures,” company representatives told SC Media.
Although, some security specialists believe this isn’t enough, comparing Macy’s additional security measures to “installing fire extinguishers after a building has burnt to the ground”. These specialists are reportedly advocating for retailers like Macy’s to add multi-factor authentication to their online customer login programs.
This comes after a number of pureplay and multichannel retailers from across the globe were impacted by the PageUp data breach last month, where hackers potentially accessed the personal data of millions of job applicants from across the globe.