Macy’s is warning its customers of a data breach that allowed an unknown third party to harvest sensitive information, including customer debit and credit card numbers, from online accounts for nearly two months.
The cyberthreat lasted from April 26 to June 12, allowing the third party to access an unknown number of customer accounts. Macy’s notified Macys.com and Bloomingdales.com customers that the third party used valid usernames and passwords to gain access to the accounts.
The retailer said that it detected the “suspicious activity” on June 11 and blocked access to online accounts until customers change their passwords.
Cybercriminals were able to login to accounts, gaining access to the customer’s full name, street address, email address, phone number, birthdate, and debit and credit card numbers along with their expiration dates.
Macy’s online database does not store CVV (Card Verification Value) numbers printed on the back of most cards, or social security numbers.
Macy’s said in its letter to customers that the unknown third party obtained customer login information from a source other than Macy’s. Because the leaked information exists outside of Macy’s data systems, the retailer is strongly urging customers to change their login password and “remain vigilant” for fraud and identity theft that could result.
“We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures,” Macy’s said in a statement to Fortune. The retailer said the cyber thieves obtained the customer login information and passwords from other sites and then used them to gain access to Macys.com and Bloomingdales.com accounts online.
The company said it is providing its customers with a free year’s subscription to AllClear ID identity protection.
Lawyers at Beasley Allen are filing a class action lawsuit on behalf of consumers harmed by the Macy’s data breach. For information about joining this suit, fill out our contact form or call the firm at 800-898-2034.