Macy’s has been hit with a class-action lawsuit over a breach of customer data revealed last week.
The case, filed on Tuesday in the U.S. District Court for the Northern District of Alabama, charges that Macy’s failed to protect personally identifiable information (PII) and that it waited almost a month to notify customers after discovering the cyberattack by a third party.
The complaint states that “9,200 confirmed instances of fraud have already resulted from the Data Breach to date,” and that victims face ”years of constant surveillance of their financial and personal records, monitoring, and loss of rights.”
The suit contends that the company’s protection of PII data was “lackadaisical, cavalier, reckless, and negligent.”
The plaintiff, Anna Carroll, seeks restitution, punitive damages and orders prohibiting the alleged practices and failures going forward on behalf of herself and other potential class members. The complaint says the amount in question exceeds $5 million, and asks that the court recognize the class.
In response to a query, a Macy’s spokesperson said the company does not comment on ongoing litigation.
Macy’s notified customers on July 7 that a data breach had exposed email addresses, credit card and debut numbers, birthdays, profiles and other data. The exposed information did not include Social Security numbers or the security numbers that appear on the backs of credit cards, although it did contain card expiration dates.
The breach occurred when an unnamed third party accessed the data from an outside source, using valid passwords and user information. It took place from April 26 to June 12.
Carroll made purchases from Macy.com during the period, the complaint states.
Macy’s spokesperson Blair Rosenberg acknowledged the breach In a statement on July 8, saying that the retailer is “aware of a data security incident involving a small number of our customers at macys.com and bloomingdales.com. We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures.”
The complaint argues that Macy’s “stores massive amounts of PII on their servers and utilizes this information to maximize their profits through predictive marketing and other marketing techniques.”
PII data Is “highly coveted and a frequent target of hackers,” the papers continue. “PII data is often easily taken because it is less protected and regulated than payment card data.”
The suit names Macy’s Inc., Macy’s Retail holdings Inc. and Macy’s Systems and Technology Inc.