Macy’s Inc. is paying up to $192,500 to settle a proposed class action suit after customer information was obtained by a third party in spring 2018.
The department store chain received final approval from an Alabama federal judge Friday to settle the suit, which accused Macy’s of failing to properly secure customer data to prevent hacking. The retailer has allocated $192,500 to go to eligible class members.
The company will provide up to $1,500 as reimbursement for documented out-of-pocket expenses and lost time incurred as a result of the data breach. (Class members who cannot document lost time will be eligible for a $30 payment.) In addition, Macy’s will pay $60,000 in legal fees, as well as a $2,500 payment to plaintiff Anna Carroll. In a memorandum, Judge R. David Proctor called the settlement “fair, reasonable, and adequate.”
Macy’s denies that it “is any way liable for the cyber attack” but says it chose to settle the suit “given the risks, uncertainties, burden, and expense of continued litigation.”
In July 2018, Macy’s Inc. informed customers that a third party gained access to accounts on Macys.com and Bloomingdales.com using valid usernames and passwords between April 26 and June 12. The company said that the data was obtained from a source other than Macy’s, and advised customers to change any log-in information on sites with similar passwords. Several other major retailers were also hit by security breaches in 2018, including Adidas, Under Armour and Saks Fifth Avenue.
In addition to the spring 2018 data breach, Macy’s was hacked by a third party in October 2019. The retailer notified customers in a November 2019 letter that data was compromised, adding that it would provide a year of complimentary identity monitoring and surveillance. In March, a customer filed a proposed class action against Macy’s, alleging that the company did not follow through with its offer of security services. The complaint claims that customers suffered emotional distress and loss of time due to the department store chain’s failure to protect shopper data from hackers. The suit was filed in Massachusetts state court but has been removed to Massachusetts district court.
FN has reached out to Macy’s for comment.