Macy's holiday breach highlights retailer's need for encryption and scrutiny of third-party systems

Attackers were collecting user credit card information for an entire week from the Macy's website before they were alerted. Here's how retailers can protect themselves.

Strong Black Friday and Cyber Monday sales crush fears of retail apocalypse but not cyber security concerns The holiday shopping season is off to a record breaking start but analysts are reminding consumers to play it safe online.

Just a few weeks before America spends billions of dollars on Black Friday, Macy's is facing a PR nightmare after it was forced to notify thousands of customers that their credit card information was sent to cybercriminals during a hack on October 7. 

The billion-dollar retailer, which controls nearly 600 stores across the country, said hackers injected malicious "card-skimming" JavaScript into their 'Checkout' and 'My Wallet' pages, meaning the credit card information, addresses and names of thousands were recorded on another website that could be accessed by the attackers. 

These types of attacks, called MageCart, are becoming increasingly common as more people open small online businesses and fail to encrypt their sites while recording customer information. Macy's was only notified of the attack more than seven days later on October 15, meaning thousands of customers spent days handing their information over to criminals who may use it themselves or sell it on the dark web

"On October 15, 2019, we were alerted to a suspicious connection between macys.com and another website. Our security teams immediately began an investigation. Based on our investigation, we believe that on October 7, 2019 an unauthorized third party added unauthorized computer code to two pages on macys.com," the company wrote in a letter sent out to affected customers earlier this month. 

"The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers on the following two macys.com pages: the checkout page - if credit card data was entered and "place order" button was hit; and the wallet page - accessed through My Account. Our teams successfully removed the unauthorized code on October 15, 2019."

This is Macy's second breach, and it has already had damaging effects on their bottom line. When news of the breach started to gain popularity, the company's stock price fell 11% and investors expressed extreme worry in interviews with Bloomberg ahead of their next earnings report, which comes out on Thursday.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

How retailers can protect themselves from data breaches

With Black Friday nearing, there are ways that businesses can protect themselves from similar data breaches. 

The biggest and most important recommendation almost every expert spoke about was the need for more widespread encryption. Charity Wright, cyber threat intelligence advisor with security firm IntSights, said any website handling credit card information in 2019 without encryption was asking to be attacked.

"Still so many retailers don't have their point-of-sale processors encrypted and they're storing credit card data unencrypted which we can guarantee is the source of most of these breaches," Wright said. "The threat actors are going after those unencrypted sources for credit card data, stealing them and then selling them on the dark web."

Monique Becenti, channel and product specialist at security company SiteLock echoed those concerns and said there were simple things businesses could do to secure their sites, like getting SSL certificates. The certificates could help with their own safety and could serve as a signal to their customers that their site was secure and protected. 

"Retailers should always have an SSL certificate installed to protect their consumers. The SSL certificate encrypts information that's going from the e-commerce site to the server. So while it's in transition, the certificate also acts kind of like a VPN in that regard," she said. 

Becenti added that businesses needed to do frequent audits of their security systems as well as their websites, content management systems and software to make sure everything was patched and up to date. 

Part of that audit needed to involve any system connected to the internet, including those  managed by third party systems. Part of what led to the Macy's breach was the third party manager of their website, which they have not named. 

James McQuiggan, Security Awareness Advocate with cybersecurity firm KnowBe4, said companies had to establish policies and procedures to verify that internet-facing infrastructure is securely configured. 

"Organizations will need to restrict third-party vendors' access to sensitive data," he said. "Having strong and robust third-party policies to restrict external access to sensitive information and only allow verified code or scripts to be executed will greatly reduce exposure. And if a breach does occur, the attacker's opportunity to get data is severely impeded."

Wright agreed and said the Macy's hack was a classic example of the worst case scenario retailers face with third party managers throughout their supply chain, including companies in charge of things like their websites or point-of-sale systems. 

"Macy's was working with a third party that had unauthorized access to inject code into their website. Its extremely important for retailers, especially, to do risk assessments about who they work with, what their security posture is and how much risk is being taken by working with these third parties. Even if its a security company," Wright said. 

"A lot of times you work so hard at guaranteeing your own security in your own organization but then if you want to work with a third party, how many organizations are actually asking if they can know about their security posture or protocols." 

She added that Macy's could use the situation as an imperative to take the lead on cybersecurity and be an industry example of more stringency around third party companies.

Wright said the massive retailer could set a standard "by saying that in order to work with us or work with our IT infrastructure, you have to follow all of these security protocols."

In terms of how they handled the situation, most of the researchers criticized how long it took for Macy's to realize there even was a breach and said their efforts for affected customers, which were detailed in their letter, were the bare minimum considering cybercriminals now had an entire database of customers' names, addresses, phone numbers, email addresses, payment card numbers, payment card security codes and payment card expiration dates.

In their letter, Macy's told customers involved in the breach that they took a number of different actions when they were officially notified of the hack. They contacted federal authorities, hired a cybersecurity firm to do an investigation and reported affected customer payment card numbers to Visa, Mastercard, American Express, Discover and other card companies.

After downplaying the potential life-changing impact of having this information accessed by criminals, the retailer says they are offering just one year of subscription to the Experian IdentityWorks credit monitoring service. They added that Experian can help customers with contacting creditors to dispute charges and close accounts, placing a freeze on your credit file with the three major credit bureaus and assisting you with contacting government agencies to help restore your identity.

While this may seem like a lot of help from Macy's, multiple security researchers said this was the most basic set of actions the company could take considering the severity of the attack. 

Emily Wilson, vice president of research at risk protection firm Terbium Labs, said the personal data obtained in the attack still retained its value despite the proactive efforts of credit monitoring companies and government agencies.

Just by knowing where a person banks, knowing the holidays are coming up and knowing that the person just experienced a breach gives cybercriminals a lot of room to work in creating targeted phishing, smishing, or vishing campaigns designed to capture additional information, Wilson said in a statement. 
 
Additionally, cybercriminals could even hide scams or malicious code within messages claiming to be from Macy's as part of the remediation process or through the impersonations of the financial institution that customer banks with, according to Wilson.
 
"While it's good that Macy's caught the issue before the surge of spending on Black Friday, the timing of this breach is also deeply inconvenient for customers who will need to have accounts closed and cards reissued. Those heading out of town early next week for the Thanksgiving holiday may find themselves without one or more of their primary payment cards – guaranteed to create a hassle, and certainly not going to endear anyone to Macy's or their financial institution in the process," Wilson added. 
 
"Banks are going to face the fallout from this breach alongside Macy's, and now that the fraudsters know where these customers maintain accounts, financial institutions may see long tail implications from the payment data caught in this breach as well."

Also see

Herald Square Crowd

Image: Andrew F.Kazmierski/Getty Images