According to the letter, the following customer details may have been leaked:
Credit/Debit card numbers with expiration dates.
On June 11, 2018, Macy’s Information Security teams identified the attack pattern definition by testing the attacker’s scripts. The traffic pattern matching the script signature was blocked within six (6) hours of pattern validation as a temporary mitigation. Within 24 hours on June 12, we blocked access to the relevant customer profiles, purged all payment card data from the profiles and blocked the profiles until our customers changed their passwords.
The company said that the attacker "accessed certain information stored in customer profiles logged into by the attacker and attempted to access the encoded payment data stored on those profiles."
However, Macy's said the "majority of which (referring to credit/debit card information) were for Macy's Proprietary Cards that can only be used at Macy's, Inc. entities. Note that CVV is not associated with a customer's profile. We can only confirm activity suggesting attempts to access encoded payment card data."
Copyright 2018 Meredith Corporation. All rights reserved.