Macy’s Inc. said it was hit by a data breach that affected a small number of customers who shopped on macys.com and bloomingdales.com.
In this case, the unauthorized third party gained access to customers’ full names, addresses, phone numbers, birthdays, and credit or debit card numbers plus expiration date—but not the three-digit card verification value (CVV) number that typically appears on the signature stripe on the card’s reverse side.
The department-store retailer said it detected “suspicious login activities” on June 11, and ultimately determined that from April 26 through June 12, a third party had inappropriately accessed customer accounts using legitimate usernames and passwords, the Detroit Free Press reported. Macy’s also said the third party did not steal the login data from the retailer but from another source. Macy’s blocked those compromised accounts on June 12 and notified affected customers by mail and email, offering one year of complimentary identity protection services. Macy’s noted that customers who shopped in its brick-and-mortar locations were not affected.
Security experts cited at DarkReading.com said breaches like this could be thwarted by multifactor authentication (MF)—using several points of identity verification rather than the more easily hackable username/password combination. “Strong MFA can prevent account takeovers, such as the ones seen in the Macy’s [breach],” Will LaSala, security evangelist at OneSpan, told DarkReading.com. However, the complexity of modern IT environments often makes successful MFA deployments a challenge.
The retail industry leads with the highest number of data breaches, according to Trustwave’s 2017 Global Security report, accounting for 22 percent of all incidents, followed by the food and beverage sector with 20 percent. The report further noted that companies are improving their breach detection time, which dropped from an average of 80.5 days to 49. Plus, they’re getting better at containing these compromises, taking on average 2.5 days from time of detection to do so.
Data and privacy have garnered renewed attention in the aftermath of the discovery that Cambridge Analytica, a now-shuttered data analytics firm, had abused data from 87 million Facebook accounts.