Macy's has begun notifying some of its online customers that their payment details have been compromised due to Magecart code that compromised parts of their website.
The breach notice claims that on October 15, 2019, Macy's was alerted to a suspicious connection between macys.com and another site. The Macy's security team began an investigation into the matter and claim that based on their investigation, they believe that an unauthorized third-party added unauthorized code to two of its macys.com pages on October 7, 2019. Unfortunately, this means it took Macy's over a week to learn of the security incident.
The notice went on further to say that "The unauthorized code was highly specific and only allowed the third-party to capture information submitted by customers on the following two macys.com pages: (1) the checkout page — if credit card data was entered and “place order” button was hit; and (2) the wallet page — accessed through My Account." The code was successfully removed on October 15, 2019.
Customers impacted by this breach are likely to have had their full payment details compromised by hackers, including first and last name, address, phone number, email, payment card number, payment card security code, and expiration date.
This gives criminals enough information to make unauthorized purchases in the victims' names and potential identity fraud scams.
Macy's has reported the incident to those card brands affected by the breach and claims to have taken steps to prevent Magecart code from being added to its pages again. Affected customers have also been offered 12 months of free Experian IdentityWorks identity protection services.
Macy's is just the latest in a slue of organizations to have had their website compromised by Magecart code. It was reported last month that hackers using Magecart activated online credit card skimmers to 3,126 online shops hosted by eCommerce provider Volusion.
Traditional FIM solutions take a very narrow look at Integrity and the unknown or unsuspecting consequence of “baselines” as they pertain to security breaches and checking the box of compliance mandates. They just establish a baseline to determine if any additions, modifications, or deletions have been made to the target files or directories and alert based on those changes.
There are a few problems with this - the first problem is that a baseline assumes that all the files are known to be good and originated with a high degree of trust and authenticity which is far from reality. The second problem is that changes made inside an authorized change management window have no way of validating and verifying expected or authorized change against observed change.