A Cyberattack Targets Macy's Customers
On July 2, the New Hampshire Attorney General office received a letter from Macy's Inc. which revealed that some of the retailer's clients had been targeted by a cyberattack.
When did it all happen?
The affected customers had accounts at macys.com and bloomingdales.com, and Macy's first learned about the intrusion when unusual login activity tripped the company's security systems on June 11. After further investigation, it was revealed that an unauthorized party had been using valid credentials to access Macy's customers for about a month and a half. The letter doesn't say why Macy's IT staff failed to notice the attack earlier.
How did the hackers get in?
Macy's security people reckon that their system hasn't been compromised. They think that the crooks stole the username and password combinations from elsewhere, and it must be said that, while no independent researchers appear to have confirmed or denied this, it is a perfectly possible theory.
The rampant password reuse we see every day means that often, hackers don't need to compromise the security of a banking website in order to break into users banking accounts. Instead, they can simply steal passwords from a small, obscure website that stores people's credentials in plain text and then try them out on a number of different online accounts. The attack is called credential stuffing, and unfortunately, it's ruthlessly effective sometimes.
What did the hackers steal?
For some reason, the number of affected customers wasn't disclosed. The nature of the exposed data, however, was. Macy's admitted that once they were in, the hackers were able to make off with:
- Physical addresses
- Email addresses
- Dates of birth
- Credit card numbers and expiration dates
The fashion retailer's data breach notification letter says that its payment system doesn't store CVVs or Social Security numbers, but as we all know, there are websites that don't require a CVV to process payments.
It would appear that the crooks weren't satisfied with what they found. The letter to the Attorney General states that there's evidence pointing to a second attack. Apparently, the hackers tried to access encrypted credit card data from Macy's own system. While a bit vague, the letter's wording does suggest that the attempts were unsuccessful, and the company also points out that the attack was aimed at proprietary cards that can't be used outside Macy's.
What did Macy's do about the attack?
Upon seeing the suspicious login activity, the company's IT team immediately set up temporary measures to mitigate the risk, and within 24 hours, they stopped the attack completely. Financial data from the affected accounts was deleted, and the accounts themselves were locked up. Right now, if you're affected by the attack, you can't log in until you change your password.
Then, the company took to writing a rather detailed report of what had happened, complete with advice on what people can do in case they've fallen victims to the attack. Macy's letter urges all affected users to check their bank statements regularly and explains how they can also request annual credit reports from the three major credit bureaus. The company has also arranged to give victims one year's worth of identity theft protection services through AllClear ID for free. Since payment card details have been compromised, users can feel free to contact the issuers and look for the best ways to protect themselves against fraudulent payments.
All this is, of course, very important, especially when some of the exposed information could lead to significant financial losses. The best advice after such an attack, however, is: don't reuse your passwords.