Problem
On November 14, US department store chain Macy's alerted customers of a security breach discovered in October on its website that led to the compromise of payment card details and customer information, including full names, addresses, telephone numbers and email addresses. At the time, the company described the breach as consisting of highly specific unauthorized code injected into the checkout and wallet pages on Macys.com with the goal of capturing information submitted by customers -- in other words what the security industry calls a web skimming attack.
1) Identify gaps in business, security controls, etc. that led to the incident.
2) Identify the top 3 critical risks leading to the incident.