Man with outstretched hand with shopping cart and consumer icons showing Macy's data breach before start of holiday shopping season
Macy’s Experiences Data Breach Before Start of Holiday Shopping Season

Macy’s Experiences Data Breach Before Start of Holiday Shopping Season

Leading U.S. retailer Macy’s recently announced that it had experienced a data breach over a one-week period in October, sparking concerns that the upcoming holiday shopping season could be filled with similar types of data breaches at other retailers. If that’s the case, it could spook U.S. shoppers and lead to much lower than expected sales holiday results as consumers scale back on their online purchases. On news of the data breach, shares of Macy’s promptly fell 11%.

The return of the Magecart cybercriminal syndicate

The Macy’s data breach, which took place right before the start of the holiday shopping season, appears to be the work of the infamous Magecart cybercriminal syndicate, which has attacked many of the most popular websites on the Internet. These have included cyber attacks on British Airways, NewEgg, and Ticketmaster. In a classic Magecart cyber attack, a tiny piece of malicious code (usually JavaScript) is placed on the website of a major retailer or any other company that relies on credit card transactions (such as travel companies). Once inserted, the malicious code begins to capture information entered on the page. In most cases, this information includes credit card payment details.

And this is exactly what appears to have happened at Macy’s this holiday shopping season. The mega-retailer says that, on October 7, an unauthorized third party inserted malicious code on two pages of the Macys.com website – the checkout page and the My Wallet page (which is used by Macy’s customers to make updates to their account profile and payment preferences). Once inserted, the malicious Magecart code went to work for a nearly weeklong period, in which it scooped up credit card payment numbers, expiry dates, security codes, customer names and customer addresses.

Implications of the Macy’s data breach for holiday shopping

With the information obtained from the data breach, the hackers could take several different actions. The most obvious course of action, of course, is simply to use all of the credit card payment information obtained during the data breach to make fraudulent purchases on other websites or for the cybercriminals to open fraudulent accounts elsewhere on the web. Another option for these hackers would be to sell all of this data on the Dark Web, in any number of hacker forums that traffic in this sort of data. And the third option is to take all the personal data and payment card numbers in order to create cloned cards (i.e. new plastic cards preloaded with all of the hacked data) during the busy holiday shopping season, when it might be harder for retailers to detect such fraud.

The good news, says Macy’s, is that only a small number of customers were affected by the breach. As soon as Macy’s noticed the suspicious connection and further evidence of a “highly sophisticated and targeted data security incident” on Oct. 15, it immediately brought in an outside forensics firm and contacted federal law enforcement authorities. Moreover, customers have been notified in a letter dated Nov. 14.

The big question, though, is whether this data breach – occurring right on the eve of the busiest shopping season of the year – is going to spook shoppers. This Macy’s data breach, while contained in terms of size and scope, is reminiscent of previous cyber attacks that have hit the retail sector. For example, in Spring 2018, the retailer Hudson’s Bay Co. (parent company of Saks Fifth Avenue and Lord & Taylor) suffered a major data breach. And, in 2018, Macy’s also suffered an unrelated data breach of is own.

Colin Bastable, CEO of security awareness training company Lucy Security, notes that Magecart could be a mounting problem over the holiday shopping season: “Magecart is not a mystery, by now, one might think that ‘additional security measures’ would be added to all websites as a matter of course, before hackers drop in some malicious code. That is, surely, the definition of a precaution. Macy’s has implemented what should be described as a security postcaution. For consumers, ‘tis the season to be robbed online. Don’t be fooled by that secure SSL padlock, nor by your browser trusting a website’s ‘secure’ https: prefix. Between now and the New Year’s sales, hundreds of millions of dollars will be up for grabs by online hackers, and the credit card companies have already built in the losses as a cost of doing business.”

Elad Shapira, Head of Research at Panorays, agrees that the Macy’s attack might be a precursor to additional attacks: “The recent data breach at Macy’s is unfortunate, but not surprising. Magecart is responsible for cyber attacks on many major companies including Ticketmaster, British Airways, NewEgg, Magento and more. Online retailers like Macy’s are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards. For this reason, organizations must put processes in place to manage and review their susceptibility to the Magecart threat. Until they do so, Magecart’s stealthy and highly effective attacks will continue. Macy’s is simply the latest victim, but it definitely won’t be the last.”

Changing investor perceptions

In past years, investors in the stock market might have shrugged off the Macy’s data breach, viewing it only as a tiny blip on the radar of the mega-retailer, which is now the leading U.S. retail apparel site, with over 55.7 million monthly users per month. However, department stores such as Macy’s have been under a lot of financial pressure lately, with many investors worrying that these stores are losing market share to e-retailers such as Amazon. For example, one department store that is often compared to Macy’s – Kohl’s – has been under tremendous pressure recently in terms of revenue and profit margins. Kohl’s has been forced to discontinue some clothing lines, and has even signed a deal with Amazon that enables Amazon customers to return their purchases to physical Kohl’s department stores. Throughout 2019, department stores have underperformed the wider market.

That context might help to explain why investors immediately drove down the shares of Macy’s. U.S. department stores are in an extremely fragile position right now, and any event (such as a major data breach) could be very problematic. Of even more concern, the attack took place right before the start of the holiday shopping season. This holiday shopping season is of vital concern to Macy’s, which depends on success during this time period to turn a profit.

Next steps for Macy’s in wake of data breach

So what can Macy’s do, now that it has already contacted customers and notified law enforcement officials? The obvious step to take, say security experts, is to beef up the cyber security protections of the Macys.com website. The Magecart data breach attack scenario has been well documented, so Macy’s needs to be doing more to prevent any malicious card skimming code from being inserted on its site.

James McQuiggan, Security Awareness Advocate, KnowBe4, comments on some of the security measures that organizations should be taking to prevent future cyber attacks: “The success of the Magecart attack works by compromising the website through vulnerabilities or through a third-party vendor with access to sensitive data on the site. Organizations will want established policies and procedures to verify that internet-facing infrastructure is securely configured and patched up to date. Secondly, organizations will need to restrict third-party vendors’ access to sensitive data. Having strong and robust third-party policies to restrict external access to sensitive information and only allow verified code or scripts to be executed will greatly reduce exposure. And if a breach does occur, the attacker’s opportunity to get data is severely impeded.”

With holiday shopping season now in full swing, the hope is that other top retailers have also put security precautions in place in order to avoid a similar type of data breach. If not, the holiday shopping season may not be filled with good cheer for top department stores and retailers, all of whom are already under pressure by investors to turn in better performance in 2020.