Just when you thought you might have heard the last of them, MageCart have appeared in the news again this week following another data breach. This time it’s popular US retailer, Macy’s, that were on the receiving end of this malicious attack, affecting the payment details of their online customers.
Compromised information included customers’ first and last names, addresses, phone numbers, email addresses and sensitive payment card information (including the security / CVV code). It is not yet known how many people were affected by the breach, but an analysis by SimilarWeb of U.S. retail site rankings, cited Macys.com as number one with more than 55.7 million monthly visits throughout April. Macy’s have stated they are taking the relevant steps to provide help for customers, and ensure appropriate measures are implemented so it does not happen again.
In a data breach notice Macy’s sent out to customers, they said:
“We are aware of a highly sophisticated and targeted data security incident related to macys.com that affected a small number of customers during a one-week period in October. Affected customers have been notified and will receive additional information, including instructions on how to enrol in consumer protection services at no cost”.
MageCart have become prominent players in the hacking community throughout 2018 and 2019, impacting many high-end brands such as FILA, Ticketmaster, Forbes, British Airways and Newegg. Security specialists have argued that measures to prevent such attacks are not what they should be, and organisations that customers trust with their valuable data, should be doing more to deter hackers.
Colin Bastable, CEO of Lucy Security, said:
“MageCart is not a mystery, by now, one might think that ‘additional security measures’ would be added to all websites as a matter of course, before hackers drop in some malicious code. That is the definition of a precaution. Macy’s has implemented what should be described as a security post caution”.
In order to minimise the risks and impact of a breach, such as MageCart, there are solutions organisations can implement. It’s imperative that businesses evaluate the security of their entire network for taking payments, ensuring that their customers data is safeguarded. PCI compliance throughout their applications, systems and services is crucial when it comes to reducing the threat of malicious cyber-attacks.
By working with a third-party payment solutions provider, such as Key IVR, organisations are able to take the worry of malicious online attacks away from their own environment. Sensitive payment data can be taken “out of scope”, becoming an effective way of avoiding this form of attack.