Experts Comments On Macy’s Customer Payment Info Stolen In Magecart Breach

Macy’s has disclosed a data breach  – their web site was hacked with malicious scripts that steal customer’s payment information. In Magecart attacks,  hackers compromise web sites to inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.

The ‘Notice of Data Breach‘ issued by Macy’s said their web site was hacked on October 7th, 2019 and a malicious script was added to the ‘Checkout’ and ‘My Wallet’ pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker’s control.

Subscribe
Notify of
guest

8 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Chris Kennedy
Chris Kennedy , CISO and VP of Customer Success
InfoSec Expert
November 22, 2019 3:41 am

Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes and expiration dates. During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they are enabled, configured correctly and operating effectively. What’s more, companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them before they can be exploited by bad actors.

Last edited 2 years ago by Chris Kennedy
Kevin Lancaster
Kevin Lancaster , General Manager of Security Solutions
InfoSec Expert
November 22, 2019 3:38 am

First and foremost, retailers must ensure they are complying with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with these standards helps retailers protect payment card data by restricting physical and digital business access to cardholder data and requiring multi-factor authentication for all non-console administrative access. None of these processes alone will ensure complete IT security. However, retailers can leverage compliance and incorporate cybersecurity best practices to maximize consumer protection in the payment lifecycle.

Last edited 2 years ago by Kevin Lancaster
Lev Lesokhin
Lev Lesokhin , SVP of Strategy and Analytics
InfoSec Expert
November 21, 2019 6:57 am

While we commend Macy’s for finding the breach and dealing with it only about a week after it first occurred, with the right precautions this is easily avoidable. Putting a stop to code injection is one of the oldest tenets in the app sec playbook.

That said, with modern applications, consisting of multiple layers, components and interstitial APIs, that task is becoming increasingly difficult. Malicious code can also be unwittingly inserted by insiders. Stopping these types of attacks before they happen requires an architectural assessment of core application transactions. Something that can be easily automated by software intelligence technology.

Last edited 2 years ago by Lev Lesokhin
Piers Wilson
Piers Wilson , Head of Product Management
InfoSec Expert
November 20, 2019 4:09 pm

“Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes and expiration dates. During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they are enabled, configured correctly and operating effectively. What’s more, companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them before they can be exploited by bad actors.”

Last edited 2 years ago by Piers Wilson
Elad Shapira
Elad Shapira , Head of Research
InfoSec Expert
November 20, 2019 2:15 pm

The recent data breach at Macy\’s is unfortunate, but not surprising. Magecart is responsible for cyberattacks on many major companies including Ticketmaster, British Airways, NewEgg, Magento and more. Online retailers like Macy’s are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards. For this reason, organizations must put processes in place to manage and review their susceptibility to the Magecart threat.Until they do so, Magecart’s stealthy and highly effective attacks will continue. Macy’s is simply the latest victim, but it definitely won’t be the last.

Last edited 2 years ago by Elad Shapira
Information Security Buzz
8
0
Would love your thoughts, please comment.x
()
x