Skip to main content

Macy’s Data Breach Could Spook Shoppers as Holiday Spree Gets Underway

Macy’s confirmed that its e-commerce site suffered a week-long October data breach that exposed customer payment information to hackers.

In a letter dated Nov. 14, Macy’s began informing customers of the data security breach, which was detected and corrected on Oct. 15 but had begun a week earlier on Oct. 7. The retailer said hackers inserted suspicious code onto the Macy’s checkout page and in the wallet section of a user’s account details—places where shoppers would enter or interact with their credit and debit card information. Hackers had access to contact information and payment card details from a “small number” of customers, Macy’s confirmed in a statement.

Macy’s, which is set to report third-quarter earnings on Nov. 21, was able to remove the malignant code and shut down the breach far faster than the 162 hours the average business needs to detect, triage, investigate and contain a cybersecurity incident. That’s according to CrowdStrike’s survey of 1,900 IT decision-makers and professionals across Australia, North America, Europe, the Middle East, and Asia.

It’s been a relatively quiet year for retail data breaches, following a string of security comprises in 2018 that saw major merchants including Sears, Adidas, Saks and Lord&Taylor, Under Armour, and yes, Macy’s, all fall victim to sophisticated cybercriminals whose tactics seemingly evolve by the hour.

And the news comes as 33 percent of consumers voiced their belief that small retailers should offer the same digital data protections as their larger, deep-pocketed peers, even as the biggest merchants struggle to plug up holes in their cybersecurity plans.

Shoppers have good reason to be on high alert as the holiday retail gears up for the year-end gift-grabbing rush.

Related Stories

“Just like your family, cybercriminals have holiday traditions and they are constantly looking for ways to take advantage of holiday shoppers,” Gary Davis, chief consumer security evangelist at cybersecurity firm McAfee, said. “While most consumers believe that cyber-scams become more prevalent during the holiday season, a third don’t actually take any steps to change their online behavior.

“It is crucial that we are mindful of potential risks and take the proper steps to protect ourselves this holiday season,” Davis added.

Though McAfee believes fake and fraudulent gift cards present a rising threat to shoppers this holiday, just 43 percent are aware of this danger, according to its new 1,000-consumer survey of U.S. adults 18 and older. And more than one-third (37 percent) of shoppers fail to do even the most basic due diligence, such as confirming the veracity of a retailer’s website or authenticating an email sender, when browsing and buying online.

With six days squeezed out of the critical Thanksgiving-to-Christmas shopping window, consumers will likely find themselves even more pressed to cross names off their gifting lists this year. Digital marketing agency NetElixir predicts 9 percent e-commerce growth over the holiday season, but retailers will need to generate 20 percent more in sales each day to compensate for the six missing shopping days and match last year’s revenue results.

The agency said it’s basing its forecast on a third-quarter slowdown in digital sales, in which both revenue and sales dipped from their prior-year levels. And the e-commerce outlook is coming in lower than past holiday seasons, which NRF says expanded by 11.5 percent and 13 percent in 2018 and 2017, respectively.

As other firms have indicated, smartphones are set to take a starring role in holiday season shopping, driving nearly three-quarters (72 percent) of searches and close to half (45 percent) of all e-commerce purchases. Voice, NetElixir added, is set to power 35 percent of mobile searches, “indicating less friction in the search-to-purchase process for consumers.”