Macy’s has sent letters to customers warning them that a cyber threat targeted customers’ online account information for nearly two months.
On June 11, Macy’s cyber threat alert tools uncovered the attack on macys.com and bloomingdales.com customer accounts and blocked the compromised profiles. Hackers were able to access customers’ names, addresses, phone numbers, email addresses, birthdays, and credit or debit card numbers with expiration dates.
The Cincinnati- and New York City-based retailer issued a statement on Monday:
“We are aware of a data security incident involving a small number of our customers at macys.com and bloomingdales.com. We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy’s Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”
Macy’s officials said the suspicious activity took place from April 26 to June 12. A third party obtained valid usernames and passwords through websites not related to macys.com or bloomingdales.com and used them to gain access to customers’ accounts.
The pilfered information did not include social security numbers or the CVV security numbers that appear on the backs of credit cards, officials said.
Macy’s, Inc. is one of the nation’s premier retailers, with fiscal 2017 sales of $24.837 billion and approximately 130,000 employees. The company operates more than 690 department stores under the nameplates Macy’s and Bloomingdale’s, and approximately 160 specialty stores that include Bloomingdale’s The Outlet, Bluemercury and Macy’s Backstage. Macy’s, Inc. operates stores in 44 states, the District of Columbia, Guam and Puerto Rico, as well as macys.com, bloomingdales.com and bluemercury.com. Bloomingdale’s stores in Dubai and Kuwait are operated by Al Tayer Group LLC under license agreements. Macy’s, Inc. has corporate offices in Cincinnati and New York City.