Photo: @mtardan via Twenty20
Will a hack ruin Macy’s Christmas?
It’s becoming an annual event at Macy’s, and not the good kind like Thanksgiving Day parades or Fourth of July fireworks. For the second year in a row, the department store retailer has informed customers that its system has been breached, exposing their personal and financial information to hackers. The news comes at arguably the worst time possible for the chain as it heads into the Christmas selling season.
Macy’s, which said the breach lasted between Oct. 7 and 15, did not provide the number of accounts affected. The retailer said that hackers gained access by attaching malicious code on the “Checkout” and “My Wallet” pages on macys.com. The data thieves captured the customers’ first and last names, home addresses, emails, payment card numbers, security codes and expiration dates.
The retailer has said that its website has been cleaned of the malicious code and that it has notified law enforcement and hired a forensics team to assist in the breach investigation.
Macy’s, which has mailed out notices to customers, is offering a free year of Experian credit monitoring to those who were affected.
The department store retailer suffered a data breach last year that lasted between April 26 and June 12. During that time, hackers gained access to customers’ usernames and passwords through macys.com and bloomingdales.com. At the time, Macy’s said it had “implemented additional security measures” to protect sensitive customer information from data thieves.
Macy’s share price fell 11 percent yesterday in response to the data breach news and concerns over how it could affect the retailer’s traffic and sales numbers during the holidays.
Discussion Questions
DISCUSSION QUESTIONS: Will news of the Macy’s data breach negatively affect its holiday sales performance? Does Macy’s need to take steps other than those already taken to deal with the public reaction and underlying weaknesses in its systems?
Poll
BrainTrust
Dave Bruno
Director, Retail Market Insights, Aptos
Patricia Vekich Waldron
Contributing Editor, RetailWire; Founder and CEO, Vision First
This won’t be helpful and there will be some negative consumer perception as a result of the hack. However, to be frank, Macy’s was never on course for a particularly happy holiday. The retail basics are not in place to support growth. In my view, this will only serve to make things worse.
I concur with your assessment, Neil. This will only damage their brand even further.
One of the problems is, it is not uncommon to use same userid/password combo on multiple sites. This means, a breach on one website can have a collateral impact on others. The compromise of Disney+ earlier this week is also case in point. Unfortunately, data breaches have become new normal, and it may have a short term blip for Macy’s for few days, but the silver lining for Macy’s is that this did not blow up a week from now.
Unfortunately, these kinds of data breaches have become routine, to the point where shoppers react with a shrug. Macy’s holiday outlook rests with its merchandising, store experience and marketing strategies…good or bad.
Unfortunately this is a reality of online commerce. It is also a reality that it is the responsibility of the merchant to make sure that their systems remain safe at all times. That this has happened again at Macy’s is proof that either not enough was done to prevent this from happening again or that, no matter what is done, it seems it is never enough to keep one step ahead of the bad people that want to do harm to Macy’s. Macy’s and all merchants need to do more but cybersecurity is a moving target and it will always be very challenging to stop this 100 percent of the time.
This is an unfortunate development. My local Macy’s is in a solid B mall and looks better recently than it has in the last couple years. Inventory levels seem to be in control. Presentation standards are very much improved, even if every fixture has a sale sign on top. Cash/wraps are manned. It looks like a very real effort at improving on the basics is in motion. A data breach is the last thing any retailer needs.
Sadly, breaches have become so common I am not convinced they have significant impacts on consumer behaviors anymore. While this news is certainly the last thing Macy’s needs, I am not sure it will be the deciding factor for them this holiday season.
How horrible. Strike one and now strike two? There comes a point where consumer confidence is shaken to a deeper and more dangerous level. This is the last thing Macy’s needed, and frankly their answer/actions must be believable, which is going to be hard. This is one bad place for Macy’s to be at this time.
I completely agree with you, Rich. This type of behavior is unacceptable for the second time in two years. I would not feel confident shopping at Macy’s this holiday season.
Two data breaches within two years, especially at customer-facing “checkout” and “my wallet” tools is unacceptable. The negative effect on holiday sales will depend upon the reach of media coverage of Macy’s latest breach. As a shopper who has to personally deal with the unnecessary time spent dealing with their credit card info being stolen, why take the chance to shop Macy’s just to buy Aunt Sue a Christmas sweater? Amazon awaits.
The only retail data breach I can recall that caused a stir was the Target breach several years ago. But it wasn’t the breach itself that created ill will — it was the company’s response, which was to arbitrarily put limits on all its corporate debit cards, instead of just issuing new ones. One lesson I learned from that was to never shop using a debit card. Ever. The laws are too sketchy.
A credit card breach in and of itself rarely bothers consumers. The liability all lives elsewhere.
Both major merchants and brands are facing major breaches of consumer trust. It is a poison that is fueling shifts in consumer shopping patterns. As the analog results of digital flaws become more real – what will consumer response be? It is not just a Macy’s issue.
Just another hack. They have become so common that most people just seem to ignore them and think it is a part of having to live with the internet. It does not seem to cause any real damage to the retailer who is hacked.
This won’t affect Macy’s holiday sales, but it may affect Macy’s performance on Wall Street. Let’s hope this is the last such story we hear during the season.
I’m afraid that Santa was planning a lump of coal for Macy’s before the data breach …
Another day, another data hack. Seems like the only people getting upset are Wall Street investors (and I suspect some of them are using this incident as an opportunity to create volatility). For the rest of us, any real presumption of data privacy has been out the window for years. Macy’s is handling this matter appropriately under the circumstances. It needs to keep its eye on the prize this holiday season, and not use this data breach as an excuse for lackluster performance.
Consumers are becoming immune to these announcements because they’ve been coming so constantly and from such big players. Certainly “consumer groups” will raise a fuss.
It isn’t likely to affect Macy’s holiday sales performance. But we should expect it to be one of the reasons Macy’s gives for missing their holiday numbers.
As to other steps? The security business should stop trying to sell the myth that it’s possible to eliminate all breaches and accept they are inevitable. That would mean a shift to minimizing exposure of data when there IS a breach.
Macy’s most recent data breach may cause some customers to avoid shopping on their website. However, many consumers may be becoming a little numb to these announcements, as they seem to be happening across all industries – even beyond retail (e.g., Facebook, healthcare, etc.).
It certainly won’t help matters, but Macy’s has a lot of irons in the fire so to speak to try and create a happy holiday sales story. I suspect this will be a blip and most customers won’t slow down their shopping as a result. Macy’s still has a job to do to get those customers in their stores and on their website and mobile app. The real question is, has Macy’s done enough to attract those customers in the first place? I think they have a number of positives happening but the final details are always in the execution at scale and this is historically where Macy’s suffers. Data breaches may impact those consumers that were on the fence about shopping and buying at Macy’s but I expect this won’t push too many away.
I’m sure it will, although — given Macy’s other problems — I’m not sure how the impact could, or should, be calculated. I’m not sure how Macy’s addresses customer concerns unless they, in fact, take radical and sustainable steps to securing its database.
It’s very unfortunate that so many here are acquiescent about yet another data hack. Sure those unaffected by stolen data will lose sight of it in the information overload, but those whose data is abused can face years of serious heartache and in some cases life altering issues.
Companies are able to get away with service level agreements stating things like “industry standard data protection.” When the industry standard is to have poor safeguards, PR spin, and a year of credit monitoring service, the industry is weak and unfortunately may need government regulation.
It doesn’t help, but at the same time, hacks are (unfortunately) more and more common. There are bad people out there who will also be able to hack the system, regardless of all the effort to safeguard the data. How to combat a customer’s fear? There are insurance policies companies take out to give their customers peace of mind.
It’s important for retailers to let customers know in advance what they are doing to prevent breaches, and if they happen, how they react and handle the situation. A major company once shared with me how many times cyber-criminals try to hack into their system. It wasn’t every once in a while. It was hundreds of times each day, and that’s a conservative number. Every company, not just Macy’s, needs to help their customers understand the lengths they go to to protect their customers’ data.
No and no. That probably few of us even remember there was a “prior incident” is telling as to how frequent these have become and as a result how immune we’ve become to paying attention to them; something that is both good and bad for the impacted retailers, and society at large.
This is unacceptable to happen a second time in two years. Lately, every year we are exposed to information about the profusion of retail breaches that are inundating the retail sector with the same inevitable outcome: sensitive customer information was extracted from a retailer’s website, servers, or mainframe. Consumers’ trust is waning in the face of the frequent security breaches that are becoming pervasive.
Retailers need to go on the offensive (institute a proactive not reactive strategy) and start implementing preventive measures BEFORE a breach occurs. This type of behavior can and will damage a retailer’s brand, reputation, and future.
I concur with Neil Saunders’ assessment of Macy’s not having a strong holiday season anyway.