Macy’s Reckless Data Breach and How Consumer Rights are Overlooked
November 19, 2019
According to a data breach notice sent to possibly affected customers, “an unauthorized third party added unauthorized computer code.” The code was collecting customers’ first and last names, addresses, phone numbers, email addresses, and payment card information (including number, security code, and expiration dates). The breach began on Oct. 7 and wasn’t discovered/removed until Oct. 15.
These attacks are not inevitable and Macy’s could have done a lot more to prevent this attack as well as detect them much sooner. Auditing their systems with 3rd parties frequently, increasing the budget and manpower of their operations securities teams, and pushing frequent, mandatory updates are all ways that Macy’s could prevented/reduced damages. In consolation for the damages, they are offering a subscription to Experian IdentityWorks, an identity protection service, to those affected. It almost seems like a pat on the back for the victims. When will corporations be held accountable for their cyber negligence?
In this new era of information that we live in, the consumers have the short end of the stick. Information is an ethereal concept so let’s present a tangible example to better frame Macy’s scenario. Sue and Bob have an agreement to share Sue’s car. Bob leaves Sue’s car unlocked and a 3rd party stole it. Bob says sorry and gives Sue a gift card to Outback Steakhouse in consolation. Let’s say there is no way for Sue to get her car back or be given the monetary value of her car. Does this sound fair? The sad reality is that this is how people’s private information is currently treated. Epic.org (Electronic Privacy Information Center) is an advocacy group that helps stand up against these types of violations. I am not affiliated with them in any way, but if you would like to take a more active stand for privacy, check out their website.
