Macy's breach exposed customer data, credit card numbers

The breach impacted online profiles of customers of Macy's and Bloomingdale's.

Sean Keane Former Senior Writer
Sean knows far too much about Marvel, DC and Star Wars, and poured this knowledge into recaps and explainers on CNET. He also worked on breaking news, with a passion for tech, video game and culture.
Expertise Culture | Video Games | Breaking News
Sean Keane
2 min read
Macy's store in New York City

Macy's online stores were hit with a data breach.

SOPA Images

Some Macy's online customers became victims of data theft, including their credit card numbers, following a breach in the retailer's security.

The breach took place between April 26 and June 12, during which time an "unauthorized third party" managed to obtain usernames and passwords and then log onto Macy's and Bloomingdale's shoppers' online profiles, the company said in a letter sent July 2 to the New Hampshire Attorney General's Office and first reported by DataBreaches. Macy's owns Bloomingdale's.

The leaked info may include customers' names, addresses, phone numbers, email addresses, birthdays, and credit and debit card numbers with expiration dates. However, the company noted that neither Credit Verification Values (CVV) nor Social Security numbers are stored on its online customer profiles. Macy's said it reported the exposed card numbers to Visa, Mastercard, American Express and Discover.

Profiles with suspicious login activity were blocked until the customers changed their passwords, Macy's said.

"We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures," the company said in a statement. "Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."

The total number of accounts accessed wasn't released, but the letter noted that 753 New Hampshire residents were affected. Macy's attached to the letter a document dated June 27 that was apparently sent to affected customers.

Last month, Adidas' US site fell victim to a similar breach. Its initial investigation suggested that some people's contact information, usernames and encrypted passwords were stolen.