Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: jcpenney (1 article)Clear

JCPenney breach exposes Social Security numbers and tax records of 368,000

Have I Been Pwned has added 368,418 accounts from a breach of JCPenney, after the extortion group ShinyHunters claimed in mid-June it stole data from the retailer and several sister brands under Catalyst Brands and Authentic Brands Group. ShinyHunters says the haul includes highly sensitive employee and customer data: Social Security numbers, dates of birth, W-2 tax forms, payroll records, and scans of government-issued IDs. Unlike passwords, these identifiers cannot simply be reset, raising long-term identity-theft and tax-fraud risk. JCPenney has not confirmed the full scope, and the group has not published samples, but the data types make this a serious exposure.

Check
Current and former JCPenney and Catalyst Brands staff and customers should check Have I Been Pwned, watch for tax, payroll, and identity-themed phishing, and monitor for fraudulent tax filings or new-account activity.
Affected
JCPenney employees and customers, plus those tied to sister brands like Aeropostale, Brooks Brothers, Lucky Brand, and Nautica; exposed Social Security numbers, W-2s, and ID scans carry lasting fraud risk.
Fix
Consider a credit freeze and fraud alert, file taxes early to pre-empt fraudulent returns, reset any reused JCPenney passwords, enable MFA, and treat tax or payroll messages referencing the breach with caution.