[BreachExchange] Macy’s Settles Suit Over 2018 Data Breach for Up to $192K

Destry Winant destry at riskbasedsecurity.com
Thu Jun 11 10:25:56 EDT 2020


Macy’s Inc. is paying up to $192,500 to settle a proposed class action
suit after customer information was obtained by a third party in
spring 2018.

The department store chain received final approval from an Alabama
federal judge Friday to settle the suit, which accused Macy’s of
failing to properly secure customer data to prevent hacking.  The
retailer has allocated $192,500 to go to eligible class members.

The company will provide up to $1,500 as reimbursement for documented
out-of-pocket expenses and lost time incurred as a result of the data
breach. (Class members who cannot document lost time will be eligible
for a $30 payment.) In addition, Macy’s will pay $60,000 in legal
fees, as well as a $2,500 payment to plaintiff Anna Carroll. In a
memorandum, Judge R. David Proctor called the settlement “fair,
reasonable, and adequate.”

Macy’s denies that it “is any way liable for the cyber attack” but
says it chose to settle the suit “given the risks, uncertainties,
burden, and expense of continued litigation.”

In July 2018, Macy’s Inc. informed customers that a third party gained
access to accounts on Macys.com and Bloomingdales.com using valid
usernames and passwords between April 26 and June 12. The company said
that the data was obtained from a source other than Macy’s, and
advised customers to change any log-in information on sites with
similar passwords. Several other major retailers were also hit by
security breaches in 2018, including Adidas, Under Armour and Saks
Fifth Avenue.

In addition to the spring 2018 data breach, Macy’s was hacked by a
third party in October 2019. The retailer notified customers in a
November 2019 letter that data was compromised, adding that it would
provide a year of complimentary identity monitoring and surveillance.
In March, a customer filed a proposed class action against Macy’s,
alleging that the company did not follow through with its offer of
security services. The complaint claims that customers suffered
emotional distress and loss of time due to the department store
chain’s failure to protect shopper data from hackers. The suit was
filed in Massachusetts state court but has been removed to
Massachusetts district court.

FN has reached out to Macy’s for comment.

More information about the BreachExchange mailing list