Macy's Data Breach 2019: How to Check If You Have Been Affected

Macy's has written to customers that have been affected by a data breach, just ahead of its Q3 earnings and the Black Friday shopping season.

In a letter dated November 14, the company said: "On behalf of Macy's, we are writing to inform you about a recent incident involving unauthorized access to personal information about you on"

The letter goes on to say that on October 15, 2019, the company was made aware of a suspicious connection between the domain and another website.

Macy's data breach 2019 was affected by the Magecart cybercrime syndicate, which has potentially stolen customer personal data, including payment card details. Macy's

"Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two pages," the company said. These were the checkout page and the wallet page.

What Information Was Stolen From Macy's?

While the code was removed on October 15, 2019, according to the company, the following information potentially could have been accessed:

  • First Name
  • Last Name
  • Address
  • City
  • State
  • Zip
  • Phone Number
  • Email Address
  • Payment Card Number
  • Payment Card Security Code
  • Payment Card Month/Year of Expiration

Macy's has confirmed that "customers checking out or interacting with the My Account wallet page on a mobile device or on the mobile application" were not affected.

What is Magecart?

According to ZDNet, this was a "Magecart" attack. RiskIQ explains that Magecart is a cybercrime syndicate that specialize in digital credit card theft.

The operatives gain access to websites either directly or via third-party services and use malicious JavaScript to steal data shoppers enter into online payment forms on checkout pages.

Other companies that have fallen foul to this type of breach are Ticketmaster and British Airways, according to the security company.

Mike Chapple, associate teaching professor of information technology at the University of Notre Dame's Mendoza College of Business, believes this attack is a great example of an "electronic skimming attack." "Attacks like the one against Macy's are the digital equivalent of card skimming. Instead of physically affixing a skimmer to a machine, the attacker breaks into a retailer's website and inserts computer code that captures card numbers as consumers complete purchases on the site. The electronic skimmer then sends the card numbers to the attacker, who typically immediately sells it on the black market.

"It's much harder to protect yourself from electronic skimming attacks because the code is invisible to you," he told Newsweek. "The responsibility for preventing these attacks really rests with retailers who must implement strong security controls on their websites and regularly test them for the presence of malicious software."

How Can You Find Out Whether You Were Affected By the Macy's Data Breach?

According to Macy's, there are number of ways customers can ascertain whether they've been affected:

  • Customers should remain vigilant for incidents of financial fraud and identity theft by regularly reviewing account statements and immediately report any suspicious activity to their card issuer.
  • Contact their card issuer to inform them that their card information may have been compromised. Your card issuer can suggest appropriate steps to protect your account.

Chapple concurs with this advice, commenting: "Consumers can maintain a watchful eye on their accounts and nip malicious activity in the bud. Promptly reporting unauthorized transactions to banks immediately not only stops an attacker from continuing to use your card but also helps banks track down the source of the attacks and prevent the victimization of others."

Macy's has added a precaution to help customers protect themselves. It has arranged to have Experian IdentityWorksSM provide identity protection services for 12 months at no cost to affected customers. The activation code for these services is unique to each customer.

Experian can also help customers who believe fraudulent use of their information took place as a result of the data breach incident with the following:

  • Helping with contacting creditors to dispute charges and close accounts.
  • Assisting in placing a freeze on customer's credit file with the three major credit bureaus.
  • Assisting with contacting government agencies to help restore identity.

Macy's also encourages its customers to activate the "fraud detection tools" available through Experian IdentityWorks, which is complimentary for 12 months. This product provides identity detection and resolution of identity theft. Customers need to follow the steps below, according to Macy's:

  • Ensure that you enroll by November 30, 2020, as the activation code will not work after this date.
  • Visit the Experian IdentityWorks website to enroll:
  • Provide the activation code provided by Macy's.
  • Customers can also contact Experian's customer care team on 855-557-2999 by November 30, 2020, for assistance.

Macy's also reminds its customers that a credit card will not be required for enrollment to Experian IdentityWorks.

"We are aware of a highly sophisticated and targeted data security incident related to that affected a small number of customers during a one-week period in October," a spokesperson from Macy's told Newsweek. "Our security teams quickly engaged a leading forensic firm to remove the threat.

"Details of this incident were reported to federal law enforcement for investigation and to assist other websites in managing this threat. Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost. Security and privacy remain our priority."

This article was updated to include a statement from Macy's.