US department store giant Macy's has agreed to pay almost $200,000 to settle a lawsuit brought over a data breach, according to Footwear News.
The class-action lawsuit was brought after a third party managed to obtain customer information from the company in spring 2018. In the suit, plaintiff Anna Carroll accused the 162-year-old company of failing to properly secure customer data against cyber-attackers.
On June 5, Macy's received final approval from a federal judge in Alabama to settle the suit. The retailer has set aside $192,500 to be allocated to eligible class members.
Under the terms of the settlement, plaintiff Anna Carroll will receive a payment of $2,500 from Macy's. A further $60,000 will be shelled out by the store to cover legal costs.
Class members will be reimbursed up to $1,500 provided they can supply documents to prove that they incurred expenses and lost time as a direct result of the data breach. Claimants who are unable to prove that their time was wasted in dealing with the fallout from the breach can only claim a single $30 payment.
Judge R. David Proctor called the settlement “fair, reasonable, and adequate” in a memorandum.
Opting to pay to make the suit go away is not an admission of failure to implement adequate cybersecurity measures on Macy's part. The company has stated that it "is not in any way liable for the cyber-attack" but chose to settle the suit because of the "risks, uncertainties, burden, and expense of continued litigation."
Macy's customers were informed in July 2018 that a third party had used valid usernames and passwords to gain access to accounts on Bloomingdales.com and Macys.com between April 26 and June 12 that year.
In November 2019, Macy's notified its customers of a further data breach that occurred in October 2019. A Massachusetts consumer subsequently filed a class-action against Macy's in March 2020 over the 2019 data breach.
According to the suit, Macy’s has offered “neither financial compensation nor an opportunity to obtain, free of charge, certain professional monitoring” aimed strictly at protecting against identity theft for one year.