If you've been shopping online at Macy's or Bloomingdale's recently, beware: The websites of the popular American department stores are the victims of a data breach—one that lasted for nearly two months this spring.
Here's What Happened
Macy's and Bloomingdale's (both owned by parent company Macy's, Inc.) recently sent letters to some of their online customers confirming the retailer had discovered a cybersecurity threat to its systems on June 11, 2018.
According to the letters, first reported by the Detroit Free Press, "an unauthorized third party, from approximately April 26, 2018, through June 12, 2018, used valid customer usernames and passwords to log in to customer online profiles."
Hackers were able to access users' first and last names, addresses, phone numbers, email addresses, birth dates, and debit and credit card numbers with expiration dates, Macy's said. The company added that Social Security numbers and CVV security numbers on the back of cards were not exposed.
The company has blocked the affected user profiles until passwords are changed by the customers, Macy's said.
"We are aware of a data security incident involving a small number of our customers at Macys.com and Bloomingdales.com," the company said in a statement sent to media outlets.
"We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy's, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services."
What to Do If You're a Macy's or Bloomingdale's Customer
Users affected by the data breach should have received the customer letter notification about the breach. You should have also received an email indicating that your profile is blocked until you update your password.
If you didn't get the email, Macy's suggests checking your spam folder for an email with the subject line "Important information about your Macy's online profile."
1. Change Your Passwords
If you did get a notification that your account was affected, change your Macys.com or Bloomingdales.com password immediately. If your account was not affected, you may want to update your password anyway. While you're at it, you may want to change the passwords on your credit and debit accounts, as well.
2. Update Your Debit and Credit Card Numbers
Make note of the credit or debit cards you used in your Macy's or Bloomingdale's accounts and call the issuers for new account numbers. Simply explain that you want a new account number and PIN because you're afraid your data has been compromised; they will issue you new cards at no cost. (You won't want to delay—this information can be sold and used quickly on the dark web.)
3. Monitor Your Account Activity
You'll want to keep an eye on your accounts for suspicious activity, as well. Don't just blindly pay off your bills each month—be sure to eyeball your statements to make sure there aren't any unauthorized charges. You can also set up text and email alerts on your credit and debit accounts notifying you when they are used, which will update you in real time if there's an unauthorized purchase.
Be sure to report fraudulent charges immediately. You're not liable for fraudulent credit card transactions, but waiting too long to report a fraudulent debit card charge could leave you on the hook for up to $500.
4. Keep an Eye on Your Credit
Data breaches are a fact of life in an increasingly digital world, which is why it's smart to remain vigilant about your identity. The best thing you can do is to monitor your credit reports for new inquiries or account openings that may be the handiwork of identity thieves.
If you're concerned about fraudulent activity, consider filing a free initial security alert that remains active on your account for 90 days at the Experian fraud center. (You only need to file it with one bureau—they are legally required to share such alerts with their counterparts, so you don't need to file with all three.)
This fraud alert will notify any lenders pulling your credit report to take extra steps to verify your identity—a measure that can frustrate and dissuade identity thieves. However, fraud alerts do not block access to your credit reports altogether. For the highest level of protection, you might want to freeze your credit reports, a measure that prevents lenders from issuing new credit in your name altogether.
Credit freezes currently cost about $10, though they can go up to $20 depending on the state where you reside. It also costs a small fee to "unfreeze" your credit if you need to apply for it in your name, as well. However, Congress recently passed legislation making credit freezes free, though that change does not take effect until this fall.
For more information on what to do if your credit or debit card has been part of a data breach, visit our complete guide at Experian.com.