Macy’s has informed customers of an e-skimming data breach following the discovery of Magecart malware on its website.
In a letter to affected customers, the retailer said that it had detected malware on its e-commerce website on October 15 and that it had been active for a little over a week.
“The unauthorized code was highly specific and only allowed the third party party to capture information submitted by customers,” stated the letter, explaining that user-submitted data on the site’s checkout and wallet pages could have been intercepted.
Compromised customer data potentially includes first name, last name, address, city, state, ZIP code, phone number, email address, and full payment card information including number, security code, and expiration date.
Magecart attacks are a growing threat to online retailers and e-commerce sites, where rogue code is inserted into sites to “skim” customer card information. Prior targets of the malware include Ticketmaster, Newegg, British Airways, Forbes Magazine, MyPillow and the Atlanta Hawks. Researchers have found at least 40 separate variants of Magecart code exploits.
Macy’s is offering affected customers 12 months of free identity protection services.