Macy's and Bloomingdale's customer profiles hacked

Dive Brief:

Macy's warned customers of its e-commerce sites that their data has been breached, according to a notice sent to the affected customers on June 27, and published later by DataBreaches.net. The security incident involved "unauthorized access to personal information" from late April to mid-June, according to the notice from Michael Gatio, president of Macy's credit and customer services.
Macy's did not specify how many customer accounts were affected, though it involved "a small number of our customers at Macys.com and Bloomingdales.com," according to a corporate statement sent to SC Media yesterday.
The retailer's cyberthreat alert tools identified suspicious logins to "certain" customer profiles on June 11, according to the notice. The company said an unauthorized third party gained access to customers' first and last names, full addresses, phone numbers, email addresses, birthdays and credit card numbers with expiration dates. After opening an investigation, Macy's blocked those customers' accounts until they could update their passwords.

Dive Insight:

Some security experts think the broad breach of Macy's e-commerce sites was due to weak authentication. This is the first time that Macy's is known to have been breached, and it reported the incident quite quickly compared to others like Panera Bread and Ticketmaster UK.

In its notice, the company said that unauthorized third party exploited valid user names and passwords to gain access to the online profiles of customers. "We believe the third party obtained these customer usernames and passwords from a source other than Macy's," it stated. Macy's urged customers to be vigilant about their accounts and change passwords frequently.

Dark Reading said Macy's breach resulted from an authentication weakness. It is among recent breaches "involving the use of legitimate credentials to access and steal enterprise data," wrote Jai Vijayan in Dark Matter. "Often, the threat actors behind the attacks have first stolen the credentials or obtained them via social engineering, and then used them to access the target network."

Macy's joins a long list of retailers and brands reporting data breaches, a group that includes: Adidas, Under Armour's MyFitnessPal app, Panera Bread, The Buckle, Eddie Bauer, Forever21, Kmart, Sears, Best Buy, Sonic, Whole Foods, Gamestop, Arby's and Hudson's Bay Co.

Addressing the Macy's breach, the company told SC Media that after investigating the breach it has "addressed the cause and, as a precaution, ha[s] implemented additional security measures." Macy's added that it would provide customers free additional protection.

Some security specialists were not impressed. "Macy's declaration that they have added additional security measures as a precaution is like saying you have added fire extinguishers after the building has burnt to the ground," John Gunn, CMO of OneSpan, told SC Media. "Private citizens have no way of knowing if the firms that they have trusted are implementing proper security measures and the frequency with which breaches continue to occur would indicate that this is not the case. Most firms implement necessary security, such as multi-factor authentication, but additional regulation is needed to ensure that all of them do."