For the second time in as many years, Macy’s customers have been hit by a data breach involving countless numbers of credit cards.
In a filing with the California attorney general, the retail giant said hackers siphoned off customers’ names, addresses, and phone numbers, but also credit card numbers, card verification codes, and expiration dates by inserting malicious code on its website and quietly sending the stolen data back to the hackers.
Macy’s said the breach lasted a week, between October 7 and October 15. The retail giant did not say how many customers were affected, but the breach is likely to affect thousands of customers.
It’s the latest example of hackers breaking into websites and installing credit card skimming malware. It’s not known who was behind the credit card theft, but a hacking group known as Magecart has been behind some of the largest credit card skimming efforts in recent years — including the American CancerSociety, BritishAirways, Ticketmaster, AeroGarden and Newegg.
Last year, Macy’s admitted a months-long breach that saw hackers steal credit card data and passwords about 0.5% of its customer base — on both its website and Bloomingdale’s site, which Macy’s owns. The breach resulted in a class action suit, which accused Macy’s of “lackadaisical, cavalier, reckless, and negligent” security practices.
Macy’s is one of the most popular websites in the U.S., according to Alexa rankings.