Macy’s to Settle 2018 Data Breach Class Action Suit
Two years after it happened, the popular department store is electing to settle a class action data breach lawsuit that alleged the company failed to properly secure customer data online.
Department store mainstay Macy's is electing to settle a class action lawsuit stemming from a 2018 data breach that impacted shoppers of macys.com and bloomingdales.com, the site operated the Macy's department store chain.
The breach, which spanned three months and lasted from April 26 and June 12 that year, allowed a third party to access names and passwords of some customers. With this access, the third party could have been able to access customers’ full names, addresses, phone numbers, email addresses, birthdays and debit or credit card numbers with expiration dates - although not security, CVV codes, or social security numbers.
The company said this week it would pay up to $192,500 for eligible class action members to settle the suit. Victims who can prove they had an out of pocket expense or lost time as a result of the breach will be eligible for $1,500; those who cannot document lost time will be eligible for a $30.
The judge overseeing the case, Judge R. David Proctor called the settlement “fair, reasonable, and adequate” on Friday. Macy's denies any wrongdoing in the settlement and says it's settling the suit "given the risks, uncertainties, burden, and expense of continued litigation.”
After it discovered the breach, Macy's claims it blocked suspicious login activity until customers changed their passwords and reported exposed card numbers to Visa, Mastercard, American Express and Discover.
The breach reportedly only affected about 0.5% of the store's customers but that didn’t stop victims from filing a class action lawsuit accusing Macy’s of failing to properly secure customer data to prevent hacking in Alabama. In the suit, plaintiff/customer Anna Carroll claimed the company should have been aware of and implemented the best security measures available on its websites and known that its customers' data was vulnerable and sought after.
The department store was among a handful of retail breaches that year; companies like Adidas, Under Armour, Lord and Taylor, and Saks Fifth Avenue were also breached that year.
It wasn't the last time the company was hit by hackers.
Macy’s disclosed to customers last November that attackers hijacked its site between October 7 and October 15 and embedded code to capture information on checkout pages. That information included customers' full name, address, city, state, zip code, phone number, email address, along with their payment code number, security code, and the month/year the card expired.
The card-skimming attack was ultimately linked to Magecart, a cybercrime gang that specialize in swiping data from online shopping cart systems.
The company was hit with a lawsuit over the Magecart breach as well; Robert Hartigan, a Macy's customer in Massachusetts filed a suit in the state's superior court initiallly; it was later moved to the state's district court.
The Definitive Guide to DLP
- The seven trends that have made DLP hot again
- How to determine the right approach for your organization
- Making the business case to executives
The Definitive Guide to Data Classification
- Why Data Classification is Foundational
- How to Classify Your Data
- Selling Data Classification to the Business