Macy’s today had its name added to a growing list of retailers announcing this year that their internal security systems were breached, leaving consumers’ data vulnerable.
When Target encountered its cyberattack in 2013, it seemed like a relative outlier among retailers. The hack affected a whopping 41 million consumers and in 2017 led to an $18.5 million multistate settlement, the largest ever of its kind. Now it appears fashion sellers are encountering this problem in droves (albeit often on a smaller scale).
In fact, the number of U.S. data breach incidents tracked in 2017 hit a record high of 1,579, according to the 2017 Data Breach Year-End Review by the Identity Theft Resource Center and CyberScout. The report indicated a drastic 44.7 percent increase over the record-high figures reported for 2016.
Here, a look at the brands and retailers that have faced security attack issues this year. (Hint: There’s been at least one data hack reported by fashion firms each month since March.)
The department store said today that a third party gained access to accounts on Macys.com and Bloomingdales.com using valid usernames and passwords between April 26 and June 12. While it said only “a small number” of its customers were affected by the breach, it didn’t specify how many and said only that the data was obtained from a source other than Macy’s.
The retailer’s cybersecurity tools detected suspicious login activities on June 11, and on June 12, it blocked the accounts that appeared to have been breached.
With the login information, the third party would have been able to access customers’ full names, addresses, phone numbers, email addresses, birthdays and debit or credit card numbers with expiration dates (although not security or CVV codes).
In late June, the Germany-based athletic brand said it had reached out to “certain” Adidas.com/US consumers to inform them of a potential data security breach and that a forensic review was underway.
“On June 26, Adidas became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers,” the brand said in a statement. “According to the preliminary investigation, the limited data includes contact information, usernames and encrypted passwords. Adidas has no reason to believe that any credit card or fitness information of those consumers was impacted.”
Sears Holding Corp. — the owner of the Kmart and Sears department store chains — in April informed customers that it was notified by software service provider 7.ai about a data security incident last fall. The breach involved the unauthorized access to customers’ personal data and payment information, including names, addresses and credit card numbers. The company said fewer than 100,000 of its shoppers — who completed a transaction on the Sears website between Sept. 27, 2017, and Oct. 12, 2017 — might have been negatively impacted.
“As soon as they informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud and launched a thorough investigation with federal law enforcement authorities, our banking partners and IT security firms,” the company explained in the statement.
Saks Fifth Ave., Lord & Taylor
HBC, owner of luxury department stores Saks Fifth Ave. and Lord & Taylor, said on April 1 that it had been hit with a data security breach and was trying to determine the extent of the situation, which involved customer payment card data. The company did not believe its e-commerce or other digital platforms were impacted. Hudson’s Bay, Home Outfitters and HBC Europe stores also were unaffected, HBC said.
According to New York-based cybersecurity firm Gemini Advisory, debit and credit card information was stolen from more than 5 million customers who shopped in North American store locations. (HBC didn’t comment about the number of people impacted.)
On April 27, HBC said it had “contained the issue on March 31, 2018, and believes it no longer poses a risk to customers shopping at its stores.”
In late March, Under Armour announced it was investigating a data security incident that affected around 150 million members of its MyFitnessPal app and website — the sportswear brand’s food and nutrition platform. The company said it learned a few days prior that an unauthorized group collected data of MyFitnessPal user accounts in late February, and “quickly took steps to determine the nature and scope of the issue” before alerting the lifestyle network’s members with guidance on how to protect their information.
In March, a lawsuit was filed against Under Armour by MyFitnessPal user Rebecca Elizabeth Murray for breach of contract, invasion of privacy and other claims. (The suit also sought class action status.) Under Armour in May filed a motion to dismiss the case.