The Latest / Data Security News
July 24, 2018
A Macy’s data breach has seen the personal and financial information of a few thousand customers stolen. The retailer’s online website suffered a number of unauthorized log-ins to online accounts.
The Macy’s Data Breach took place between April and June, for a period of about six weeks it’s believed. Unfortunately, the suspicious activity was not discovered until 11 June. A number of customer accounts on macys.com and bloomingdales.com were showing suspicious activity. By 12 June, the profiles had been blocked.
A Macy’s spokesperson said:
“We are aware of a data security incident involving a small number of our customers. We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures.”
The number of affected customers is thought to be less than 0.5 per cent of the userbase, so numbers of affected are thankfully only in the thousands and not tens of thousands.
But those people hit have had their full names, password and usernames, and most worryingly, credit or debit card information stolen. That does not include the CVV numbers stored on cards.
The Macy’s data breach appears to have come from a third-party database of usernames and passwords for the retailer becoming compromised. The perpetrators were able to log-into customers’ accounts without raising too much suspicion.
There are two take-aways from such a hack. Multi-factor authentication is becoming more and more important for organizations. If a second layer of security was needed to log-into the retail sites, the ease of the breach may have been stopped.
Secondly, these kinds of hacks that come from a third-party partner of organizations are becoming more common. Direct attacks on organizations with valuable information are becoming rarer. Hackers look to expose a weakness in partnerships organizations have with other businesses. That’s why protected sharing methods between collaborating companies is becoming an incredibly integral and important part of building strong cyber security ecosystem and defenses.
Hopefully those affected in the May’s attack will get the support and help they need to minimize potential identity theft and fraud attacks on them.