Incident: Data Breach at Macy's Online Shopping Site Caused by Magecart Code

Published Date: 2019-11-19

Postmortem Analysis
Timeline 1. The software failure incident at Macy's online shopping site, where credit card information was stolen, happened on October 7, as reported in Article 92138.
System 1. Payment portal on Macy's online shopping site [92138] 2. Magecart card-skimming code [92138]
Responsible Organization 1. Magecart card-skimming code implanted in the payment portal [92138]
Impacted Organization 1. Customers of Macy's were impacted by the software failure incident [92138].
Software Causes 1. The software cause of the failure incident was a Magecart card-skimming code implanted in the payment portal on Macy's online shopping site, leading to the data breach where credit card information was stolen [92138].
Non-software Causes 1. Lack of robust cybersecurity measures to prevent unauthorized access to the payment portal [92138] 2. Failure to detect the presence of the Magecart card-skimming code on the website in a timely manner [92138]
Impacts 1. Customer information such as names, addresses, phone numbers, email addresses, payment card numbers, expiries, and security codes were accessed by the unauthorized third party [92138].
Preventions To prevent the software failure incident at Macy's where a data breach occurred due to a Magecart card-skimming code, the following measures could have been taken: 1. Regular Security Audits and Monitoring: Implementing regular security audits and continuous monitoring of the website's codebase could have helped detect unauthorized code additions promptly [92138]. 2. Secure Payment Gateway Integration: Ensuring the use of secure payment gateway integration methods and regularly updating the payment portal's security features could have prevented the insertion of malicious code [92138]. 3. Employee Training on Cybersecurity: Providing comprehensive training to employees on cybersecurity best practices, including recognizing and reporting suspicious activities, could have increased awareness and potentially prevented the breach [92138]. 4. Multi-Factor Authentication: Implementing multi-factor authentication for customer transactions could have added an extra layer of security to prevent unauthorized access to customer data [92138]. 5. Encryption of Customer Data: Encrypting customer data, especially sensitive information like payment card numbers and security codes, could have made it harder for attackers to access and misuse the data even if they managed to breach the system [92138].
Fixes 1. Implementing regular security audits and monitoring to detect any unauthorized code additions or suspicious activities on the website [92138]. 2. Enhancing the security measures of the payment portal to prevent future Magecart card-skimming attacks [92138]. 3. Conducting thorough code reviews and vulnerability assessments to identify and address any potential weaknesses in the website's codebase [92138]. 4. Educating employees and staff members on cybersecurity best practices to prevent similar incidents in the future [92138].
References 1. Macy's statement to customers [92138] 2. CNET sister site ZDNet [92138]

Software Taxonomy of Faults

Category Option Rationale
Recurring multiple_organization (a) The software failure incident related to Macy's online shopping site being breached due to a Magecart card-skimming code implanted in the payment portal has not been reported to have happened again within the same organization [92138]. (b) The software failure incident related to a data breach caused by a Magecart card-skimming code at Macy's online shopping site is a type of incident that has occurred at other organizations as well, where similar malicious codes have been used to steal customer information [92138].
Phase (Design/Operation) design (a) The software failure incident at Macy's was due to a design issue. The breach was caused by a Magecart card-skimming code that was implanted in the payment portal of the online shopping site during the development phase [92138]. The unauthorized computer code was added to two pages on macys.com, indicating a design flaw that allowed a third party to capture customer information at the checkout page and the wallet page. (b) The software failure incident at Macy's was not due to an operation issue. There is no indication in the article that the failure was caused by the operation or misuse of the system.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident at Macy's online shopping site was caused by a Magecart card-skimming code implanted in the payment portal. Unauthorized computer code was added to two pages on macys.com, allowing a third party to capture customer information at the checkout page and the wallet page. Macy's discovered this issue internally after being alerted about a "suspicious connection" between its site and another [92138]. (b) outside_system: The breach, which led to the software failure incident, was caused by external factors, specifically the Magecart card-skimming code implanted by a third party. This code was added to Macy's website without authorization, indicating that the contributing factors originated from outside the system [92138].
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident at Macy's was caused by a Magecart card-skimming code implanted in the payment portal, which was a non-human action [92138]. The unauthorized computer code was added to two pages on macys.com, allowing a third party to capture customer information at the checkout page and the wallet page. Macy's discovered this suspicious connection and took action to remove the code once it was identified. (b) Human actions were involved in the response to the incident. Macy's alerted customers about the data breach, contacted federal law enforcement, and informed major credit card companies like Mastercard, American Express, Visa, and Discover. Additionally, Macy's mentioned that it has "taken steps" to prevent such incidents from happening again, indicating human intervention in addressing the aftermath of the software failure [92138].
Dimension (Hardware/Software) software (a) The software failure incident at Macy's was not due to hardware issues but rather due to a Magecart card-skimming code implanted in the payment portal, which is a software-related issue [92138].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident at Macy's was malicious in nature. The data breach on its online shopping site was caused by a Magecart card-skimming code implanted in the payment portal, indicating that the breach was due to contributing factors introduced by humans with the intent to harm the system [92138].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident at Macy's online shopping site, where credit card information was stolen due to a Magecart card-skimming code, can be attributed to poor decisions made by the attackers who implanted the malicious code [92138]. Additionally, Macy's response to the incident, such as being alerted to a "suspicious connection" on Oct. 15 but only discovering the unauthorized code added on Oct. 7, could also be seen as a result of poor decisions in terms of timely detection and response to the breach.
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident at Macy's online shopping site, where credit card information was stolen due to a Magecart card-skimming code implanted in the payment portal, can be attributed to development incompetence. The unauthorized computer code was added to two pages on macys.com, allowing a third party to capture customer information at the checkout page and the wallet page. This indicates a lack of professional competence in ensuring the security and integrity of the payment portal, leading to the data breach [92138]. (b) The accidental introduction of the malicious code into Macy's online shopping site, leading to the data breach, can also be considered a contributing factor in the software failure incident. The breach was discovered after Macy's was alerted to a "suspicious connection" between its site and another, indicating that the presence of the code was not intentional but accidental. This accidental introduction of the code highlights a vulnerability in the system that was exploited by malicious actors [92138].
Duration temporary (a) The software failure incident in this case was temporary. The breach caused by the Magecart card-skimming code was discovered on October 15, and Macy's removed the unauthorized code on the same day. This indicates that the incident was not permanent but rather temporary in nature [92138].
Behaviour crash, omission, value, other (a) crash: The software failure incident in the Macy's data breach article can be categorized as a crash. The unauthorized computer code added to the Macy's website caused a loss of control over the system's state, leading to the system not performing its intended functions of securely processing customer payment information [92138]. (b) omission: The incident can also be classified as an omission. The unauthorized code omitted the system from performing its intended functions of protecting customer data by allowing a third party to capture sensitive information during the checkout process [92138]. (c) timing: The timing of the failure is not explicitly mentioned in the article. However, it can be inferred that the system may have performed its intended functions correctly but at the wrong time, as the breach was detected after the unauthorized code had been active for several days [92138]. (d) value: The incident can be associated with a value failure. The system performed its intended functions incorrectly by allowing unauthorized access to and theft of customer information, including payment card numbers, names, addresses, and security codes [92138]. (e) byzantine: The article does not indicate any byzantine behavior in the software failure incident. The breach was primarily attributed to the insertion of a Magecart card-skimming code, leading to unauthorized data access and theft [92138]. (f) other: The other behavior exhibited in this software failure incident could be categorized as a security vulnerability. The unauthorized insertion of code exploited a security vulnerability in the payment portal, enabling the theft of sensitive customer information [92138].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident at Macy's online shopping site resulted in a data breach where credit card information may have been stolen. Customer information, including names, addresses, phone numbers, email addresses, payment card numbers, expiries, and security codes, was accessed by a third party due to the unauthorized computer code added to the website [92138].
Domain sales (a) The failed system in this incident was related to the sales industry, specifically online retail, as Macy's online shopping site experienced a data breach where credit card information was stolen [92138].

Sources

Back to List