in Newswire Published on July 10, 2018

Class Action Chides Macy’s for Waiting Nearly a Month to Alert Customers to June 2018 Data Breach [UPDATE]

by Corrado Rizzi

View Comments

Carroll v. Macy's Inc et al

Filed: July 9, 2018 § 2:18cv1060

Read Complaint

Macy's and two subsidiaries face a class action over a June 2018 data breach that the plaintiff claims the companies failed to disclose for almost a month.

Defendant(s)

Macy's, Inc. Macy's Retail Holdings, Inc. Macy's Systems and Technology, Inc.

Law(s)

State(s)

Alabama

Categories

Retail Privacy Data Breach

Case Updates

June 17, 2020 - $192,500 Settlement Given Final Approval, Class Certified

United States District Judge R. David Proctor has granted final approval to a $192,500 settlement to end the proposed class action detailed on this page.

Macy’s has admitted no fault over the data breach and will pay customers who submit claims up to $1,500 for documented out-of-pocket expenses or time spent mitigating any adverse effects of the incident, according to a June 5 order. Any U.S. resident who received from Macy’s in July 2018 a notification pertaining to “suspected unauthorized activity” stemming from the April 26 to June 12, 2018 cyberattack is eligible to file a claim. 

Still pending against Macy’s is a proposed class action filed in Massachusetts over another data breach alleged to have affected thousands of online shoppers between October 7 and October 15, 2019. 

Judge Proctor’s final approval order can be found here.

A proposed class action filed in Alabama federal court aims to hold defendants Macy’s Inc., Macy’s Retail Holdings, Inc. and Macy’s Systems and Technology, Inc. accountable for a June 2018 data breach that reportedly exposed consumers’ sensitive identifiable information.

According to the lawsuit, the defendants’ online security tools detected signs of a cyberattack by a third party on June 11, 2018. This third party, unidentified in the complaint, reportedly obtained access to information stored in consumers’ Macys.com accounts, including names, addresses, phone numbers, email addresses, and credit card numbers with expiration dates, the case says. The third party allegedly had access to Macy’s customer accounts between April 26 and June 12, 2018.

The lawsuit takes issue with the defendants’ apparent decision to wait almost a month before notifying consumers that their information was stolen in a data breach. The plaintiff claims that despite the incident taking place on June 11, she was only informed by the defendants during the first week of this month that her Macys.com account information had likely been obtained by a third party.

“By [the defendants’] own admission, hackers may [have] had access to [Macy’s] information systems for over two weeks,” the complaint reads.

The case alleges Macy’s failed to implement and maintain reasonable security measures that may have limited the scope of information reportedly stolen by the hackers or prevented the cyberattack entirely.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on July 10, 2018 — 2:58 PM

Corrado Rizzi

corrado@classaction.org

Corrado Rizzi is the Senior Managing Editor of ClassAction.org.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.