That’s over a month to make a public announcement. Under GDPR rules they would have 48 hours…:
Macy’s Inc.’s stock price dropped this week following news it had experienced a cyber breach that accessed its customers’ credit card information.
The Cincinnati-based retailer’s stock price dropped close to 11% in trading on Tuesday after the zdnet.com website reported a Nov. 14 letter the company sent to customers about the breach.
The retailer said in the letter it was alerted on Oct. 15 to a “suspicious connection” between macys.com and another website, and its security teams immediately began an investigation.
It said it believes that on Oct. 7, 2019, an unauthorized third party added computer code to two pages on its website. “The unauthorized code was highly specific and only allowed the third party to capture information submitted by customers” on two of its macys.com pages, said the ruling. “Our teams successfully removed the unauthorized code on Oct. 15, 2019,” it said.
It said the cyber criminals potentially accessed data including names, addresses, phone numbers, email addresses and payment card information including security codes and expiration dates.
The retailer said it has contacted law enforcement and a forensics firm to assist in its investigation and has reported the incident to card issuers. It said it has also “taken steps to prevent this type of unauthorized code from being added to macys.com.”
In response to a query, the company said in a statement it was “aware of a highly sophisticated and targeted data security incident related to macys.com that affected a small number of customers during a one-week period in October.” It said, “Affected customers have been notified and will receive additional information, including instructions on how to enroll in consumer protection services at no cost. Security and privacy remain our priority.”
It did not respond to a question about cyber coverage.
Macy’s previously warned of a data breach in July 2018.