Shares for Macy’s Inc. are plummeting on Tuesday after the retailer disclosed today a data hack of its website a month ago.
In a letter dated Nov. 14, the Cincinnati-based mega retailer wrote that some customers who shopped on Macys.com in October may have been affected by a security breach involving “unauthorized access to personal information.”
It said it had been alerted to the “suspicious connection” between its e-commerce platform and another website on Oct. 15. It began an investigation of this connection and successfully removed the malicious code that greased the hack.
As of 3:00 p.m. ET, Macy’s stock was down more than 10.5% to $15.10.
In the memo, the department store chain shared that an unauthorized third party added unauthorized computer code to two pages on Macys.com on Oct. 7. It explained that the code allowed the third party to gain access to information submitted by customers on both the Macys.com checkout page, where credit card data is entered, and the site’s wallet page, which is accessed through the shopper’s “My Account” menu.
According to Macy’s, the hackers potentially accessed data including the customer’s first and last name, address, phone number, email address, as well as the payment card number and security code.
Writing to FN, a company spokesperson said, “We are aware of a highly sophisticated and targeted data security incident related to Macys.com that affected a small number of customers during a one-week period in October. [The retailer didn’t specify how many “a small number” is precisely.] Our security teams quickly engaged a leading forensic firm to remove the threat. Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat.
“Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost,” the spokesperson added. “Security and privacy remain our priority.”
It’s not the first time Macy’s has been hit with a cybersecurity attack. In July 2018, Macy’s informed customers of a breach that lasted from April 26 through June 12. It said that a third party gained access to accounts on Macys.com and Bloomingdales.com using valid usernames and passwords.
How Shoppers Want Retailers to Respond to Data Breaches
What the Macy’s Data Breach Means for Customers
From Macy’s to Adidas: These Are the Fashion Brands That Faced Data Hacks in 2018