Macy's Inc. on Tuesday said customer data may have been stolen from its website over a roughly one-week period in October.
In an email statement, Macy's said a "targeted data security incident" related to its macys.com website affected a small number of customers. The Cincinnati-based department-store operator said it has notified the affected customers and offered them consumer-protection services at no cost.
Shares of Macy's fell more than 10% to $15.07 in afternoon trading. Many retail stocks fell Tuesday after a disappointing quarterly report from Kohl's Corp. Macy's is scheduled to report its third-quarter results on Thursday.
In a notice sent to customers, Macy's said hackers may have accessed customer names, addresses and payment-card numbers. The retailer said it was alerted to a suspicious connection between macys.com and another website on Oct. 15. After an investigation, Macy's said unauthorized computer code was added to its website on Oct. 7, allowing a third party to capture the information. Macy's removed the unauthorized code on Oct. 15.
Macy's said it contacted federal law-enforcement officials about the breach and reported the relevant payment-card information to the issuers.