The Macy’s Magecart data breach: What you need to know to protect your customers

The Macy’s Magecart data breach: What you need to know to protect your customers

Macy’s is the latest company to fall victim to the attack trend of web skimming — breaking into web apps to insert virtual skimmers into a websites’ JavaScript that steal sensitive data, such as passwords, credit card numbers, and social security numbers. 

In October 2019, the U.S. retailer quietly disclosed that it had discovered malicious authorized third-party code on Macys.com, collecting the personal information of customers as they checked out on payment pages. The breach lasted between October 7th until October 15th and compromised the personal information of every person who made a purchase during that time. 

Magecart continues to threaten online websites 

The attack appears to be the work of Magecart — a web skimming cybercriminal syndicate that has made headlines this year for attacking some of the largest websites on the internet. 

Magecart attacks have been disclosed at Ticketmaster, British Airways, and Newegg — and earlier in the year, it was reported that Magecart skimming code has been spotted on over 2 million websites and has compromised at least 18,000 domains. 

While Magecart attacks typically focus on collecting payment details like credit card numbers or security codes, web skimming or e-skimming attacks can be used to steal any personal information that is being entered into a website. This means any website that collects valuable private data, such as online banking credentials or social security numbers, are likely targets for an attack — meaning most businesses with an online presence are at risk.

Attack guide: How Magecart skimming attacks workRelated Solution brief

Blindness in the browser translates to e-skimming success

E-skimming attacks leverage the inherent behavior of JavaScript, whether first-party or provided by a third-party vendor, to avoid detection. JavaScript runs in the browser, beyond the traditional security edge and internal security protocols, making it difficult for security teams to detect breaches before they do any damage. 

In most cases, Magecart skimmers are only discovered after they have been placed and customer data has been stolen since most companies lack the browser-level protection that would enable them to prevent data from being exfiltrated if a script is compromised. In other words, web security teams are fighting a losing battle — these attacks are difficult to detect and there is nothing to stop the breach from happening once they are infected.

Web skimming protection is essential to mitigating risk

As web skimming attacks like Magecart continue to grow in popularity for hackers, organizations must take responsibility for the customer information they collect and ensure they are taking all the necessary steps to reduce risk and keep personal data is safe.  

Learn more about what went wrong for Macy’s and why web skimming protection in the browser is the only way to protect customer data. 

On-demand webinarThe Macy’s Magecart madness: highly specific unauthorized codeWatch now