You will be redirected back to your article in seconds
Skip to main content

Macy’s Data Breach Affects “Small Number” of Dot-Com Customers

Macy’s Inc. said it was hit by a data breach that affected a small number of customers who shopped on and

It’s the latest in a string of data security incidents at top-tier retailers this year alone, coming on the heels of breaches at Saks Fifth Avenue, Lord & Taylor, Under Armour, Sears and Adidas.

In this case, the unauthorized third party gained access to customers’ full names, addresses, phone numbers, birthdays, and credit or debit card numbers plus expiration date—but not the three-digit card verification value (CVV) number that typically appears on the signature stripe on the card’s reverse side.

The department-store retailer said it detected “suspicious login activities” on June 11, and ultimately determined that from April 26 through June 12, a third party had inappropriately accessed customer accounts using legitimate usernames and passwords, the Detroit Free Press reported. Macy’s also said the third party did not steal the login data from the retailer but from another source. Macy’s blocked those compromised accounts on June 12 and notified affected customers by mail and email, offering one year of complimentary identity protection services. Macy’s noted that customers who shopped in its brick-and-mortar locations were not affected.

Security experts cited at said breaches like this could be thwarted by multifactor authentication (MF)—using several points of identity verification rather than the more easily hackable username/password combination. “Strong MFA can prevent account takeovers, such as the ones seen in the Macy’s [breach],” Will LaSala, security evangelist at OneSpan, told However, the complexity of modern IT environments often makes successful MFA deployments a challenge.

The retail industry leads with the highest number of data breaches, according to Trustwave’s 2017 Global Security report, accounting for 22 percent of all incidents, followed by the food and beverage sector with 20 percent. The report further noted that companies are improving their breach detection time, which dropped from an average of 80.5 days to 49. Plus, they’re getting better at containing these compromises, taking on average 2.5 days from time of detection to do so.

Data and privacy have garnered renewed attention in the aftermath of the discovery that Cambridge Analytica, a now-shuttered data analytics firm, had abused data from 87 million Facebook accounts.