The California Office of the Attorney General disclosed a data breach at Macy's, where unauthorized actors gained access to **macys.com** customer data. The incident, detected on **October 7, 2019**, involved the exposure of sensitive personal information, including **customer names, addresses, phone numbers, email addresses, and payment card details**. Macy's launched an investigation on **October 15, 2019**, after identifying a suspicious connection. The breach compromised financial and personally identifiable information (PII), posing risks of identity theft, fraud, and reputational harm. While the exact scale of the breach was not specified, the exposure of payment card data elevated the severity, as such details are high-value targets for cybercriminals. The incident underscored vulnerabilities in Macy's online security infrastructure, prompting concerns over customer trust and potential regulatory penalties under data protection laws like **CCPA (California Consumer Privacy Act)**. No evidence suggested ransomware involvement, but the breach’s focus on customer financial data marked it as a high-impact cybersecurity failure.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-184363
TPRM report: https://www.rankiteo.com/company/macy
"id": "mac730082025",
"linkid": "macy",
"type": "Breach",
"date": "10/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Retail',
'location': 'United States (California)',
'name': "Macy's, Inc.",
'type': 'Retailer'}],
'data_breach': {'data_exfiltration': 'Likely (unauthorized access reported)',
'personally_identifiable_information': 'Yes (names, '
'addresses, phone '
'numbers, email '
'addresses)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['personal information',
'payment card details']},
'date_detected': '2019-10-15',
'description': 'The California Office of the Attorney General reported that '
"Macy's experienced a data breach involving unauthorized "
'access to personal information on macys.com. The breach '
'reportedly occurred on October 7, 2019, and information '
'potentially accessed included customer names, addresses, '
'phone numbers, email addresses, and payment card details. An '
'investigation was initiated immediately on October 15, 2019, '
'after the company detected a suspicious connection.',
'impact': {'data_compromised': ['customer names',
'addresses',
'phone numbers',
'email addresses',
'payment card details'],
'identity_theft_risk': 'High (PII and payment card details '
'exposed)',
'payment_information_risk': 'High (payment card details exposed)',
'systems_affected': ['macys.com']},
'investigation_status': 'Initiated (as of 2019-10-15)',
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'incident_response_plan_activated': 'Yes (investigation '
'initiated on 2019-10-15)'},
'title': "Macy's Data Breach (2019)",
'type': 'Data Breach'}