What Happened
In the jcpenney.com data breach disclosed in June 2026, ransomware group ShinyHunters allegedly compromised JCPenney’s systems as part of a wider attack on Catalyst Brands and Authentic Brands, with the incident first reported on dark web monitoring platforms around June 12–15, 2026. ShinyHunters claimed to have stolen hundreds of thousands of records containing highly sensitive employee and personal data, including Social Security numbers, dates of birth, W‑2 tax and payroll information, and scans of government-issued IDs and driver’s licenses, though the exact record count and full scope of affected individuals have not been officially confirmed. Subsequent law-firm investigations and statements indicate JCPenney and Catalyst Brands later acknowledged that such categories of data may have been impacted, and that affected individuals face elevated risks of identity theft and fraud.
