Breach, Threat Management, Data Security

Unauthorized party accesses and customer accounts

For nearly two months, an unauthorized party reportedly used stolen usernames and passwords to log into the online accounts of certain and customers.

The breach took place from April 26 through June 12, compromising data such as full names, addresses, phone numbers, email addresses, birthdays, and payment card numbers with expiration dates, according to a July 6 report in the Detroit Free Press.

The incident was detected by Macy's cyber threat alert tools on June 11, and no CVV or Social Security numbers were affected, the retailer told customers in a letter last week, the Free Press further reports. Macy's has blocked the compromised customer profiles, which can only be reactivated if their rightful owners change their passwords.

“We are aware of a data security incident involving a small number of our customers at and,” reads a brief corporate statement, sent to SC Media today. “We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”

John Gunn, CMO at OneSpan, wasn't particularly impressed with Macy's statement. "Macy's declaration that they have added additional security measures as a precaution is like saying you have added fire extinguishers after the building has burnt to the ground,” said Gunn in an emailed statement. “Private citizens have no way of knowing if the firms that they have trusted are implementing proper security measures and the frequency with which breaches continue to occur would indicate that this is not the case. Most firms implement necessary security, such as multifactor authentication, but additional regulation is needed to ensure that all of them do."

“Stolen retail accounts are a hot commodity on the dark markets and there are many shops selling them,” said Andy Norton, director of threat intelligence at Lastline, in another emailed statement. “Using stolen accounts to buy items from a retailer is one of the big money-making activities for cybercriminals."

Norton noted that the retail industry faces multiple challenges while defending itself from cyber actors. “Firstly, they hold lots of personally identifiable information (PII) data which exposes them to potentially big GDPR fines. Secondly, their online business systems are often targeted with stolen accounts and credit cards in order to get 'carded items,' which means things purchased using identity theft,” he said.

As a countermeasure, “Retailers offering two factor authentication would be a good way to restore confidence in online shopping activity,” Norton continued.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.