Macy’s Data Breach
As per Wikipedia, Macy’s is an American department store chain. It became a division of the Cincinnati-based Federated Department Stores in 1994, through which it is affiliated with the Bloomingdale’s department store chain. As of 2015, Macy’s was the largest U.S. department store company by retail sales. Macy’s Data Breach was disclosed on July 6, 2018.
In a recent data breach, an unnamed third party was using valid usernames and passwords to access customers’ accounts between April 26 to June 12, 2018.
Detroit Free Press, part of the USA Today network, reported in an article published on 6th July to 2018. As written by Caroline Blackmon, at Detroit Free Press:
What the report says
Macy’s is warning customers that the retailer discovered a cyber threat that targeted customer profiles for almost two months. According to a letter mailed to macys.com customers this week, Macy’s cyber threat alert tools detected suspicious login activities on June 11.
This “suspicious activity” was being done by a third party, who the retailer said obtained the information from a source other than Macy’s. From April 26 to June 12, the third party was using valid usernames and passwords to gain access to the customers’ accounts.
On June 12, Macy’s blocked the profiles that seemed to be breached by the third party.
What customers should do
A macys.com customer account will remain blocked until the customer changes the password associated with the profile, according to the letter. You should’ve received an email notifying you that your profile was blocked.
If you didn’t receive an email, Macy’s said to check your junk folder for an email with the subject line “Important information about your Macy’s online profile.” If you can’t find the email, Macy’s said that your profile still may be blocked and to change the password anyway.
What information was involved
After logging in, the unauthorized party was able to access the customer’s full name, address, phone number, email address, birthday and debit or credit card number with expiration dates.
Macy’s said macys.com accounts do not include CVV numbers that appear on the backs of credit cards or Social Security numbers.
Macy’s suggestions
In the letter, the company said customers should “remain vigilant” for fraud and identity theft.
They also suggested that customers contact their debit or credit card companies to tell them about the data breach.
Macy’s also said it strongly encourages customers to change the password for any online account for which you used the same username and password as your macys.com account. Because the third party got the information from a source other than Macy’s, that information still could be available.The retailer also said it arranged to have AllClear ID provide a year of free identity protection to affected customers.
According to the Customer Protection Alert published by Macy’s Customer Service website, Macy’s encourages all customers to be aware of potentially fraudulent or deceptive emails, phone calls and postal mail.
Here are some simple guidelines to help you safeguard your personal information.
Do Not Share Sensitive Personal and Information with Unknown People
Be skeptical of requests for account numbers, social security numbers, credit card numbers, or any other sensitive personal information. Never reveal sensitive information to any one you do not know, especially if you suspect fraud.
Do not use universal username and password on multiple websites
Using a universal username and password for multiple websites leads to your account being vulnerable to interference from outside parties. As a company, Macy’s takes the security of your account information very seriously. Therefore, we take measures to protect the security of our customer’s account information.
Do not share sensitive personal information over email
Macy’s will never ask you to provide sensitive information by email. Whenever, you’re asked for personal information by email, phone or text message, we recommend that you call back the general published number for whatever company you’re dealing with, or that you go to the official Web site. If you have any doubt regarding the legitimacy of an email DO NOT respond or click on any links.
Email at fraud@macys.com to alert us about suspicious emails or calls. Visit the Federal Trade Commission’s website at www.ftc.gov for additional advice on protecting your personal information.
As reported by Ray Schultz on Mediapost.com,
Macy’s spokesperson Blair Rosenberg confirmed the incident to Email Insider, providing this statement:
We are aware of a data security incident involving a small number of our customers at macys.com and bloomingdales.com. We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.
On June 12, Macy’s blocked the profiles that seemed to be breached by the third party, but what is not known to us at this point is that why it took so long and why this came to light now. We are not sure when Macy’s has started sending out emails to their affected customers.
This is not the first time
We can’t avoid data breaches in today’s online world. Any company’s data can be breached anytime, just like someone can break into your house anytime. It doesn’t matter how full-proof the security protections are. What we can do is react on the incident once happened.
If you swipe your card at any store even once or order anything online, you are at a risk of losing your personal and sensitive data.
Major retailers have been hit with data breaches. During Christmas 2013, Target experienced a major data breach, which exposed 70 million records. Similarly, Walmart leaked data of 1.3 million shoppers.
This has not happened with Macy’s for the first time. As Jeff Bernthal reported on 11 Feb 2010, customer’s personal information was found in Macy’s dumpster.
It is long back though, but as reported by ABC7 News on July 28, 2008 Macy’s security breach halted Macy’s Card Services, where Macy’s 4100 customers were affected.
