Macy’s is notifying customers of a data breach involving unauthorized access to their payment card data and personal information.
In a notice sent to affected customers, Macy’s said it first detected suspicious login activity from certain Macys.com accounts on June 11, 2018.
“Based on our investigation, we believe that an unauthorized third-party – from approximately April 26, 2018, through June 12, 2018 – used valid customer user names and passwords to login to customer online profiles,” the retailer said.
The breach also appears to affect customers who shopped on Bloomingdales.com, which is owned by Macy’s.
Compromised information included customer names, home addresses, phone numbers, email addresses and birthdays, as well as debit or credit card numbers with expiration dates.
However, no CVV or Social Security numbers were impacted.
In response to the breach, Macy’s said it has blocked profiles with suspicious logins, advising customers to update their account passwords in order to regain access.
“We have reported relevant debit and credit card numbers to Visa, Mastercard, American Express, and Discover. We have also added additional security rules around website login,” said Michael Gatio, president of Macy’s credit and customer services.
The retailer added that it believes the unauthorized third-party obtained the stolen credentials from a source other than Macy’s.
Although the company did not specify the extent of the data breach, it said only “a small number” of Macys.com and Bloomingdales.com customers were involved.
In the meantime, customers are advised to monitor their account statements closely for any unauthorized activity.
“You should remain vigilant for incidents of fraud and identity theft, including by regularly reviewing account statements and monitoring credit reports,” the company said.
Macy’s joins a long list of major retailers that have recently fallen victims to data breaches, including Adidas, Under Armour, Forever21, Saks Fifth Avenue and Lord & Taylor.