Macy’s recently disclosed that its website was breached on October 7, 2019, though the retail giant didn’t find out until a week later, on October 15, when an anonymous researcher alerted the company. The attackers were able to access customer and credit card information, including names, phone numbers, and payment card numbers. Macy’s claims that only a small number of customers were affected.

A MageCart attack, a form of data skimming, caused of this incident. Cybercriminals will compromise a website to inject malicious JavaScript scripts, which then steal payment information that is submitted by a customer. Following this incident, Macy’s implemented additional security measures to ensure this does not occur again.