On November 19, 2019, Tripwire.com reported (“Macy’s Says Security Incident Might Have Exposed Customers’ Data“) that

Macy’s is notifying customers about a data security incident that might have exposed some of their personal and financial information.

The American department chain store said that it first learned of the incident back in mid-October. At that time, Macy’s security teams launched an investigation into a suspicious connection between macys.com and another website. They found that an unauthorized third party had added unapproved code to two of the chain’s web pages: the checkout page and the wallet page, which is accessible via My Accounts.

This code might have exposed customers’ personal and financial information in the event they used Macy’s website to make a purchase or store their payment data. These details might have included customers’ names, email addresses and payment card credentials. [Emphasis added.]

On November 18, 2019, Bleepingcomputer.com reported (“Macy’s Customer Payment Info Stolen in Magecart Data Breach“) that

Macy’s has announced that they have suffered a data breach due to their web site being hacked with malicious scripts that steal customer’s payment information.

This type of compromise is called MageCart attack and consists of hackers compromising a web site so that they can inject malicious JavaScript scripts into various sections of the web site. These scripts then steal payment information that is submitted by a customer.

According to a ‘Notice of Data Breach‘ issued by Macy’s, their web site was hacked on October 7th, 2019 and a malicious script was added to the ‘Checkout’ and ‘My Wallet’ pages. If any payment information was submitted on these pages while they were compromised, the credit card details and customer information was sent to a remote site under the attacker’s control. [Emphasis added.]

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.