Macy’s (NYSE: M) shares sank by 11% on Tuesday after the Company sent out a letter addressing a data breach that occurred in mid-October.

"On behalf of Macy's, we are writing to inform you about a recent incident involving unauthorized access to personal information about you on macys.com," the Company wrote in the notice to customers. "We regret that this incident occurred and appreciate your time to read this letter."

Macy’s said it was alerted on October 15 about a “suspicious connection” between macys.com and another website. The Company noted that the security team immediately began an investigation.

Based on the investigations, Macy’s said on October 7 an unauthorized third party added a computer code to two pages on macys.com.

“The code was highly specific and only allowed the third party to capture information submitted by customers on the following two(2) macys.com pages: (1) the checkout page - if credit card data was entered and “place order” button was hit; and (2) the wallet page - accessed through My Account,” the Company said in the letter.

ZDNet reported that the breach was caused by Magecart card-skimming code being implanted into Macy’s online payment portal.

Magecart attacks are made possible access into a site or the backend content management system. The attackers generally insert Javascript code into a webpage to harvest data and is then sent to a command-and-control (C2) server, which can then be turned into fraudulent cards.

An anonymous researcher investigating the Macy’s breach told Bleeping Computer that a ClientSideErrorLog.js script was tampered to host the Magecart code. After a victim submitted the payment, the data was then stored into a remote C2 hosted at Barn-x.com, ZDNet said.

Macy’s said it successfully removed the code on October 15 after a joint investigation with federal law enforcement and a class forensics firm.

The Company said that all impacted customers were notified of the breach and are being offered protection at no cost.