Macy’s Inc. is the latest company to be hacked in an apparent “Magecart” attack resulting in customer credit card details stolen from its website.

The hack was first detected on Oct. 15, though it’s believed to have taken place Oct. 7 when “unauthorized” code injected in the checkout pages and wallet page of Macys.com.

Data stolen in the attack included customer’s names, addresses, phone numbers, email addresses, payment card numbers, payment card security codes and payment card expiration dates. The last three are particularly notable because they give those behind the hack the full ability to use the stolen information to make fraudulent transactions.

Macy’s started informing affected customers of the hack Nov. 14 while also noting that it had notified law enforcement and hired “a leading-class forensics firm” to help with their investigation. In addition, the company says that it has informed various card issuers of the breach.

Bleeping Computer reports the hacked involved Magecart, a form of attack wherein hackers insert malicious JavaScript code into parts of a targeted site to steal customer information at the point of purchase. Magecart has long been a popular method of stealing customer data from sites that include e-commerce functionality.

Magecart emerged last year with an attack on British Airways Plc., with other sites and companies hacked since. Some of those include Newegg Inc., the Infowars Store, Cathay Pacific Airways Ltd., Ticketmaster Entertainment Inc. and Oxo International Ltd.

Magecart is not attributed to a single group. Instead, it’s a methodology and code used by newer groups targeting ad-related websites and even misconfigured Amazon Web Services Inc. S3 instances.

Macy’s claims that only a small number of customers have been affected by the hack, but the news, leading into the holiday shopping season, was not well-received by investors. Macy’s stock closed down 11%, to $15.04, today on the New York Stock Exchange.

“The Macy’s data breach is concerning for two reasons,” Robert Prigge, president of identity verification company Jumio Corp., told SiliconANGLE. “First, it released even more personally identifiable information into the dark web including names, emails, addresses and credit card information. This compromised data can be combined with other available information to create a ‘fullz,’ giving criminals everything they need to commit identity theft.”

Second, he said, “the retail industry is highly susceptible to seasonal fraud and we are rapidly approaching the busy holiday buying season. Criminals will attempt to weaponize the overwhelming amount of exposed data on the dark web to take over the retail accounts of legitimate consumers or use stolen identity data to commit account registration fraud against online retailers.”

Anurag Kahol, chief technology officer of cloud security firm Bitglass Inc., noted that payment card-skimming malware continues to be a security challenge for retailers.

“As customers begin to purchase their holiday gifts, they are trusting that the merchants are keeping their sensitive data safe,” he said. “Organizations must have complete visibility and control over their data to put them in a better position this holiday season, and year-round, to identify and remediate vulnerabilities that could be exploited by malicious actors.”

Looking at the broader picture going forward, Richard Henderson, head of global threat intelligence at AI-powered network security solutions firm Lastline Inc., said the breach probably wouldn’t affect shoppers to the extent that they won’t shop online there.

“People have either accepted the fact that these things are going to happen from time to time and expect their banks and credit card brands to catch fraudulent use of their cards quickly, or they’ve become jaded by yet another retail breach,” Henderson concluded. “The pros of online shopping still far outweigh the cons.”

Photo: Paulo JC Nogueira/Wikimedia Commons