Experts Comments On Macy’s Customer Payment Info Stolen In Magecart Breach

Macy’s has disclosed a data breach  – their web site was hacked with malicious scripts that steal customer’s payment information. In Magecart attacks,  hackers compromise web sites to inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.

The ‘Notice of Data Breach‘ issued by Macy’s said their web site was hacked on October 7th, 2019 and a malicious script was added to the ‘Checkout’ and ‘My Wallet’ pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker’s control.

Experts Comments

November 19, 2019
Peter Draper
Technical Director, EMEA
Gurucul
Mergecart attacks in action again. A number of organisations have been compromised in this way, including the 2019 British Airways breach. Managing and controlling what can and cannot be run on your website is critical in ensuring the security of your customers' data. Likewise having the capability to monitor behaviour and traffic to and from your estate is becoming a must. Identifying anomalous traffic quickly and taking action can reduce the impact of such attacks.
November 22, 2019
Kevin Lancaster
General Manager of Security Solutions
Kaseya
First and foremost, retailers must ensure they are complying with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with these standards helps retailers protect payment card data by restricting physical and digital business access to cardholder data and requiring multi-factor authentication for all non-console administrative access. None of these processes alone will ensure complete IT security. However, retailers can leverage compliance and incorporate cybersecurity best.....Read More
First and foremost, retailers must ensure they are complying with the Payment Card Industry Data Security Standard (PCI DSS). Compliance with these standards helps retailers protect payment card data by restricting physical and digital business access to cardholder data and requiring multi-factor authentication for all non-console administrative access. None of these processes alone will ensure complete IT security. However, retailers can leverage compliance and incorporate cybersecurity best practices to maximize consumer protection in the payment lifecycle.  Read Less
November 21, 2019
Lev Lesokhin
SVP of Strategy and Analytics
CAST
While we commend Macy’s for finding the breach and dealing with it only about a week after it first occurred, with the right precautions this is easily avoidable. Putting a stop to code injection is one of the oldest tenets in the app sec playbook. That said, with modern applications, consisting of multiple layers, components and interstitial APIs, that task is becoming increasingly difficult. Malicious code can also be unwittingly inserted by insiders. Stopping these types of attacks.....Read More
While we commend Macy’s for finding the breach and dealing with it only about a week after it first occurred, with the right precautions this is easily avoidable. Putting a stop to code injection is one of the oldest tenets in the app sec playbook. That said, with modern applications, consisting of multiple layers, components and interstitial APIs, that task is becoming increasingly difficult. Malicious code can also be unwittingly inserted by insiders. Stopping these types of attacks before they happen requires an architectural assessment of core application transactions. Something that can be easily automated by software intelligence technology.  Read Less
November 22, 2019
Chris Kennedy
CISO and VP of Customer Success
AttackIQ
Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes and expiration dates. During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they.....Read More
Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes and expiration dates. During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they are enabled, configured correctly and operating effectively. What’s more, companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them before they can be exploited by bad actors.  Read Less
November 20, 2019
Piers Wilson
Head of Product Management
Huntsman Security
“Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes and expiration dates. During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they .....Read More
“Consumers trust companies to keep their data secure and with the holiday season around the corner, this is at the top of mind. Cybercriminals are continuously looking for gaps in security defenses and vulnerabilities to turn a quick profit. In this incident, valuable financial information was stolen including credit card numbers, security codes and expiration dates. During peak holiday shopping season, it is imperative companies continuously validate their security controls to make sure they are enabled, configured correctly and operating effectively. What’s more, companies should proactively test and evaluate their cybersecurity posture to find vulnerabilities and remediate them before they can be exploited by bad actors.”  Read Less
November 20, 2019
Elad Shapira
Head of Research
Panorays
The recent data breach at Macy's is unfortunate, but not surprising. Magecart is responsible for cyberattacks on many major companies including Ticketmaster, British Airways, NewEgg, Magento and more. Online retailers like Macy’s are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards. For this reason, organizations must put processes in place to manage and review their susceptibility to the Magecart.....Read More
The recent data breach at Macy's is unfortunate, but not surprising. Magecart is responsible for cyberattacks on many major companies including Ticketmaster, British Airways, NewEgg, Magento and more. Online retailers like Macy’s are prime targets for Magecart, because data is easily stolen during checkout, often through third parties, as customers enter their credit cards. For this reason, organizations must put processes in place to manage and review their susceptibility to the Magecart threat.Until they do so, Magecart’s stealthy and highly effective attacks will continue. Macy’s is simply the latest victim, but it definitely won’t be the last.  Read Less
November 20, 2019
Mike Bittner
Associate Director of Digital Security and Operations
The Media Trust
The challenge with preventing cross-site scripting attacks is identifying which code should be running on a site, which ones shouldn't. Until site owners know all the domains that are called by code on their site, they won't be able to distinguish who's authorized to be there, and who isn't. If they have an inventory of allowed digital vendors, they'll be able to root out unauthorized actors like those behind barn-x.com. They need to take a left of left-of-breach approach. Only allow code from.....Read More
The challenge with preventing cross-site scripting attacks is identifying which code should be running on a site, which ones shouldn't. Until site owners know all the domains that are called by code on their site, they won't be able to distinguish who's authorized to be there, and who isn't. If they have an inventory of allowed digital vendors, they'll be able to root out unauthorized actors like those behind barn-x.com. They need to take a left of left-of-breach approach. Only allow code from digital vendors you know. Treat everyone else as a potential threat. You'll avoid making the headlines for all the wrong reasons.  Read Less
November 20, 2019
Robert Prigge
CEO
Jumio
The Macy’s data breach is concerning for two reasons. First, it released even more personally identifiable information into the dark web including names, emails, addresses and credit card information. This compromised data can be combined with other available information to create a “fullz,” giving criminals everything they need to commit identity theft. 2019 has been a record year for fraud and criminals are splicing together information from disconnected breaches, creating full identity .....Read More
The Macy’s data breach is concerning for two reasons. First, it released even more personally identifiable information into the dark web including names, emails, addresses and credit card information. This compromised data can be combined with other available information to create a “fullz,” giving criminals everything they need to commit identity theft. 2019 has been a record year for fraud and criminals are splicing together information from disconnected breaches, creating full identity profiles for sale on the dark web. Once a fullz is purchased, cybercriminals exploit the power of bots to automate and perform ATO fraud at scale. Bots can perform upwards of 100 attacks per second, making it easier and faster to penetrate the defenses of popular websites. This means if a person uses a password on the originally compromised website, bots can scour the web to find other websites where those same credentials are re-used to perpetrate ATO with relative ease. Javelin’s 2019 Identity Fraud Study reported $4 billion in ATO losses last year and new account fraud losses of $3.4 billion. Second, the retail industry is highly susceptible to seasonal fraud and we are rapidly approaching the busy holiday buying season. In 2017, ATO fraud rose 31% during the holiday season, and we can expect this to be much higher in 2019. Criminals will attempt to weaponize the overwhelming amount of exposed data on the dark web to take over the retail accounts of legitimate consumers or use stolen identity data to commit account registration fraud against online retailers. This highlights the pressing need for retailers – and any company with a digital presence – to adopt biometric authentication solutions to protect their users and online ecosystem from digital identity fraud by verifying a user’s digital identity matches their physical identity.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.