Macy’s Hit with Class Action Over October 2019 Data Breach [UPDATE]
Last Updated on November 19, 2020
Hartigan v. Macy’s Inc.
Filed: March 19, 2020 ◆§ 1:20-cv-10551
A Massachusetts consumer has filed a class action against Macy's over a data breach suffered by the retailer in October 2019.
November 5, 2020 – Lawsuit Dismissed
The lawsuit detailed on this page was dismissed in early November after the judge overseeing the case found the plaintiff did not sufficiently allege that he would face a risk of future identity theft or had suffered harm from the breach.
According to the judge’s 10-page order, there were no allegations of “fraudulent use or even attempted use” of the personal information of any Macy’s customer whose data was stolen in the breach. The judge further pointed out that customers could cancel their credit cards to effectively eliminate the risk of future credit card fraud and noted that the information stolen was “not highly sensitive” like Social Security numbers.
Though the judge did acknowledge that there is still a possibility of identity theft involving customers’ information, the risk is “not substantial and, at best, speculative,” according to the document.
The order also shot down the plaintiff’s claim that he should be repaid for the cost of buying a credit monitoring service, arguing that the expense was unreasonable given the man could not prove he was facing a “reasonably impending threat.”
“While it is certainly a hassle and annoying to cancel a credit card and contact all accounts using that card for billing, there is no allegation of economic loss which flowed from this inconvenience,” the judge wrote.
The full memorandum and order can be read here.
An October 2019 data breach is the subject of a proposed class action lawsuit filed in Massachusetts against Macy’s, Inc.
According to the lawsuit, Macy’s website was hacked by an unauthorized third party who captured personal customer payment information via malware. The case says the hacker, between October 7 and 15, 2019, accessed and disclosed Macy’s customers’ first and last names, addresses, phone numbers, email addresses, credit card numbers, security codes and expiration dates.
Macy’s notified customers in a November 14 letter that their information was compromised in a data breach and that the retailer would be providing a year of complimentary credit monitoring. Though the letter urged customers to be vigilant and take any necessary precautions to protect against identity theft, the lawsuit claims Macy’s has offered “neither financial compensation nor an opportunity to obtain, free of charge, certain professional monitoring” aimed strictly at protecting against identity theft for one year.
The case alleges Macy’s violated Massachusetts law by “unlawfully, negligently, and unfairly” failing to ensure the security of customers’ sensitive information. Further, the lawsuit argues Macy’s customers have suffered “cognizable injuries” as a result of the retailer’s failure to properly safeguard the compromised data.
“As a result of The Breach, Plaintiff and the Class have been exposed to the heightened risk of personal identity theft which will require individuals to undertake continuing efforts and to invest significant money in order to monitor their personal identity profile,” the case reads, arguing that one year of credit monitoring is unsatisfactory in protecting Macy’s customers.
Initially filed in Massachusetts Superior court, the suit has been removed to the state’s district court.
Before commenting, please review our comment policy.