Macy's tells customers their payment information may have been stolen by hackers

Scott Olson / Getty ImagesSome Macy’s customer data was stolen.
  • Macy’s website recently suffered a data breach.
  • An investigation on October 15 found that Macys.com was linked to a website that stole customer payment data on the “Checkout” and “My Wallet” pages, the company wrote in a notice mailed to customers on Thursday.
  • “We are aware of a data security incident involving a small number of our customers on Macys.com,” a representative from Macy’s said in a statement. “We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution.”
  • Visit Business Insider’s homepage for more stories.

Some Macy’s customer payment data was stolen when its website was hacked last month, the company wrote in a notice.

In a letter sent to customers on Thursday, Macy’s informed shoppers about the breach, which the company believes occurred when a third party attached malicious computer code to Macys.com via the “Checkout” and “My Wallet” pages.

“On behalf of Macy’s, we are writing to inform you about a recent incident involving unauthorised access to personal information about you on macys.com,” the company wrote in the notice to customers. “We regret that this incident occurred and appreciate your time to read this letter.”

According to the letter, the company’s security team began an investigation into the matter after it was notified of the breach on October 15 and removed the unauthorised code that same day. The company said it believes that the website was initially breached a week prior to that, on October 7. Bleeping Computer first reported the news.

“We are aware of a data security incident involving a small number of our customers on Macys.com. We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution,” the company said in a statement to Business Insider.

The company added that all impacted customers were notified of the breach and are being offered consumer protections at no cost.

Bleeping Computer reported on the breach on Monday and identified the compromise as a Magecart attack, a type of breach that involves compromising a website with malicious scripts to harvest payment information that a customer fills out.

Business Insider Emails & Alerts

Site highlights each day to your inbox.

Follow Business Insider Australia on Facebook, Twitter, LinkedIn, and Instagram.