Cyber Incident Victim: Macy's
Date:
Oct 2019
Location:
United States of America
Summary
Macy’s experienced a Magecart card-skimming attack targeting its online checkout and wallet pages, where malicious code injected by unauthorized actors harvested customer payment details. The breach compromised names, addresses, email addresses, payment card numbers, security codes, and expiration dates submitted during transactions. The threat actors operated undetected for over a week before the company identified and removed the code, which was designed to capture and exfiltrate sensitive data to external servers. While the exact number of affected customers was not disclosed, the retailer described the impact as limited to a small subset of users and offered complimentary protection services to those involved. This incident aligns with broader Magecart campaigns that exploit vulnerabilities to intercept financial information on e-commerce platforms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 15, 2019, Macy’s detected unauthorized card-skimming code operating within its online payment systems. The malicious script, identified as part of a Magecart attack campaign, had been injected into two critical pages of the Macy’s website: the checkout page and the wallet page accessible via the 'My Account' section. Forensic analysis indicated the code was implanted on October 7, 2019, allowing attackers to harvest customer data for at least one week before detection. The script specifically targeted financial information submitted by users during transactions or account updates, capturing first and last names, physical addresses, ZIP codes, email addresses, payment card numbers, security codes, and expiration dates. Macy’s security team removed the malicious code on the same day it was discovered, October 15, terminating the data exfiltration. The company confirmed the attack exploited a vulnerability in its online infrastructure but did not disclose technical specifics of the initial compromise vector.
The breach exposed sensitive payment data from customers who interacted with the compromised pages during the week-long window. While Macy’s did not publicly disclose the exact number of affected individuals, a company spokesperson characterized the impact as involving a "small" subset of customers. Affected users received direct notification and were offered complimentary consumer protection services. The incident exemplified a typical Magecart operation, where threat actors inject skimming scripts into e-commerce platforms to intercept and exfiltrate payment data to command-and-control servers. This attack methodology had previously targeted major organizations including British Airways, Ticketmaster, and Newegg. Macy’s emphasized that only its online payment portals were compromised, with no evidence of intrusion into broader corporate systems or physical store networks. The stolen data could enable fraudulent transactions, card cloning, or resale on criminal marketplaces, though Macy’s did not report confirmed instances of misuse at the time of disclosure.