A proposed class action filed in Alabama federal court aims to hold defendants Macy’s Inc., Macy’s Retail Holdings, Inc. and Macy’s Systems and Technology, Inc. accountable for a June 2018 data breach that reportedly exposed consumers’ sensitive identifiable information.
According to the lawsuit, the defendants’ online security tools detected signs of a cyberattack by a third party on June 11, 2018. This third party, unidentified in the complaint, reportedly obtained access to information stored in consumers’ Macys.com accounts, including names, addresses, phone numbers, email addresses, and credit card numbers with expiration dates, the case says. The third party allegedly had access to Macy’s customer accounts between April 26 and June 12, 2018.
The lawsuit takes issue with the defendants’ apparent decision to wait almost a month before notifying consumers that their information was stolen in a data breach. The plaintiff claims that despite the incident taking place on June 11, she was only informed by the defendants during the first week of this month that her Macys.com account information had likely been obtained by a third party.
“By [the defendants’] own admission, hackers may [have] had access to [Macy’s] information systems for over two weeks,” the complaint reads.
The case alleges Macy’s failed to implement and maintain reasonable security measures that may have limited the scope of information reportedly stolen by the hackers or prevented the cyberattack entirely.