JCPenney suffered a data breach in June 2026 when ShinyHunters exploited a zero-day vulnerability in Oracle PeopleSoft, exposing personal and HR data for approximately 368,000 current and former employees.
What happened
According to Have I Been Pwned, in June 2026 a threat actor group known as ShinyHunters targeted JCPenney and associated brands in an extortion campaign, threatening to publish stolen data unless a ransom was paid. The attackers reportedly exploited a critical zero-day vulnerability in Oracle PeopleSoft to obtain the data. When JCPenney did not comply, the data was published publicly.
What was exposed
Reported by HIBP, the exposed records primarily came from internal HR systems. The data included names, corporate and personal email addresses, dates of birth, Social Security numbers, phone numbers, home addresses, job titles, usernames, and government-issued IDs.
Who is affected
According to HIBP, approximately 368,000 accounts were affected. The records appear to relate to current and former JCPenney employees rather than retail customers.
What to do now
If you are a current or former JCPenney employee, monitor your credit reports closely and consider placing a credit freeze with the major bureaus. Be alert for phishing attempts using your personal details. If your Social Security number was exposed, consider enrolling in an identity theft protection service. Change any passwords associated with your JCPenney accounts and watch for suspicious activity on financial accounts.