Macy’s Data Breach
The Heninger Garrison Davis, LLC law firm is actively litigating cases against Macy’s for its clients who were affected by Macy’s data breach. They have filed a case in New Jersey, Maroldi v. Macy’s Inc. et al., 2:18-cv-12190-JMV-JBC, and are co-counsel in a case inAlabama entitled Carroll v. Macy’s Inc. et al. If you have been affected by the Macy’s data breach in any way, please contact us for a free discussion of your legal options
Below is some basic information on the Macy’s data breach:
- It is well known and the subject of many media reports that PII data is highly coveted and a frequent target of hackers.
- PII data is often easily taken because it is less protected and regulated than payment card data.
- Legitimate organizations and the criminal underground alike recognize the value in PII, otherwise, they would not pay for it or aggressively seek it.
- PII data has been stolen and sold by the criminal underground on many occasions in the past, and the accounts of thefts and unauthorized access have been the subject of many media reports.
- Unfortunately, despite all of this publicly available knowledge of the continued compromises of PII in the hands of other third parties, such as retailers, this firm’s clients alleged that Defendants’ approach at maintaining the privacy of their and Class Members’ PII was lackadaisical, illegal, cavalier, reckless, and negligent.
Unlike PII data, payment card data is heavily regulated. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that companies maintain consumer credit and debit card information in a secure environment. “PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.” PCI DSS v. 2 at 5 (2010) (hereafter PCI Version 2).
One PCI requirement is to protect stored cardholder data. Cardholder data includes Primary Account Number, Cardholder Name, Expiration Date, and Service Code. Id. at 7. “Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity’s network is not a PCI DSS requirement.” Id. at 10. However, segregation is recommended because, among other reasons, “[i]t’s not just cardholder data that’s important; criminals are also after personally identifiable information (PII) and corporate data.”
Sometime during the first week in July, Macy’s mailed to some of the affected customers a letter notifying customers of “suspicious login activities” by a third party and informing customers that the third party was able to access customer’s name, address, phone number, email address, birthday and credit card or debit card number with expiration dates.
On July 9, 2018, Macy’s spokesperson Blair Rosenberg confirmed the incident to Email Insider, providing a written statement confirming the breach:
“We are aware of a data security incident involving a small number of our customers at macys.com and bloomingdales.com. We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”
Thus, by Macy’s own admission, hackers had access to numerous Macy’s customers PII.