An October 2019 data breach is the subject of a proposed class action lawsuit filed in Massachusetts against Macy’s, Inc.
According to the lawsuit, Macy’s website was hacked by an unauthorized third party who captured personal customer payment information via malware. The case says the hacker, between October 7 and 15, 2019, accessed and disclosed Macy’s customers’ first and last names, addresses, phone numbers, email addresses, credit card numbers, security codes and expiration dates.
Macy’s notified customers in a November 14 letter that their information was compromised in a data breach and that the retailer would be providing a year of complimentary credit monitoring. Though the letter urged customers to be vigilant and take any necessary precautions to protect against identity theft, the lawsuit claims Macy’s has offered “neither financial compensation nor an opportunity to obtain, free of charge, certain professional monitoring” aimed strictly at protecting against identity theft for one year.
The case alleges Macy’s violated Massachusetts law by “unlawfully, negligently, and unfairly” failing to ensure the security of customers’ sensitive information. Further, the lawsuit argues Macy’s customers have suffered “cognizable injuries” as a result of the retailer’s failure to properly safeguard the compromised data.
“As a result of The Breach, Plaintiff and the Class have been exposed to the heightened risk of personal identity theft which will require individuals to undertake continuing efforts and to invest significant money in order to monitor their personal identity profile,” the case reads, arguing that one year of credit monitoring is unsatisfactory in protecting Macy’s customers.
Initially filed in Massachusetts Superior court, the suit has been removed to the state’s district court.