Yes — JCPenney (jcpenney.com) was breached. The Plano, Texas-based department store chain now appears on Have I Been Pwned with 368,418 accounts tied to a June 2026 incident in which ShinyHunters ran a “pay or leak” extortion campaign against internal HR systems.
HIBP added the breach on June 20, 2026. Published data primarily affects current and former employees — including Social Security numbers, dates of birth, names, phone numbers, home addresses, job titles, usernames, and scans of government-issued IDs — according to Have I Been Pwned, BreachNews, and Cyber Indemnity.
Reporting ties the intrusion to exploitation of a critical zero-day in Oracle PeopleSoft — the same ERP family ShinyHunters has weaponized against Moody Bible Institute and Infinite Campus in parallel 2026 campaigns. JCPenney sits under Catalyst Brands and Authentic Brands Group, which operate multiple retail subsidiaries; ShinyHunters listed the company on its leak site on June 12, 2026 and published data after a June 15 deadline passed without payment, per DeXpose.
We scanned jcpenney.com, jcp.com, and parent catalystbrands.com to assess email and domain security posture relevant to this HR leak.
What Happened
According to Have I Been Pwned, BreachNews, and threat-intelligence reporting:
- June 12, 2026 — ShinyHunters listed JCPenney and affiliated Catalyst Brands properties in a pay-or-leak extortion campaign.
- Attackers allegedly exploited a zero-day in Oracle PeopleSoft to reach internal HR and payroll systems.
- June 15, 2026 — ShinyHunters’ stated deadline for contact passed; the group threatened public release of employee PII and tax records.
- June 16–17, 2026 — ShinyHunters published datasets it claimed included payroll, W-2, and identity-document scans alongside other victims such as American Tower and Ralph Lauren.
- June 20, 2026 — HIBP indexed 368,418 unique email addresses and associated employee PII.
Unlike customer-facing CRM leaks at fashion retailers, this incident centers on workforce records — the highest-sensitivity category for identity theft and tax fraud.

Breach Impact at a Glance
| Field | Detail |
|---|---|
| Victim | JCPenney (jcpenney.com) |
| Parent context | Catalyst Brands / Authentic Brands Group |
| Sector | Department store retail |
| HQ | Plano, Texas |
| Threat actor | ShinyHunters |
| Alleged source | Oracle PeopleSoft HR (zero-day) |
| Accounts affected | 368,418 |
| Breach period | June 2026 |
| Listed on leak site | June 12, 2026 |
| Added to HIBP | June 20, 2026 |
| Primary victims | Current and former employees |
Data at Risk
Exposed records may include:
- Social Security numbers and dates of birth
- Corporate and personal email addresses
- Full names, phone numbers, and home addresses
- Job titles and usernames
- W-2 and payroll records
- Scans of government-issued IDs and driver’s licenses
Because the leak maps employee identity graphs — not just shopping loyalty accounts — affected workers face elevated tax-refund fraud, account takeover, and HR impersonation phishing that references real payroll details.

Texas and Retail Context
JCPenney is one of the largest Texas-headquartered retailers still operating hundreds of stores nationwide. While this breach has not yet surfaced in the Texas OAG breach portal at the time of writing, the employee PII scale and PeopleSoft HR angle place it alongside other 2026 ShinyHunters retail victims tracked in our hospitality & retail dashboard.
Class-action investigations into the incident have been reported by consumer-privacy firms; affected employees should watch for official breach notices from JCPenney or Catalyst Brands counsel.
Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit on July 7, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| jcpenney.com | 58% | 60% | 15% | 45% | Average |
| jcp.com | 64% | 75% | 15% | 45% | Above Average |
| catalystbrands.com | 64% | 75% | 15% | 45% | Above Average |
Key findings:
- 58% overall on jcpenney.com (Average) — below the 100% ideal for a retailer emailing millions of customers and tens of thousands of employees after an HR leak.
- 60% Identity on jcpenney.com — partial DMARC posture on the primary storefront domain;
jcp.comandcatalystbrands.comscore 75% identity. - 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT on any scanned domain.
- 45% Website Security — public web hardening lags identity scores across the portfolio.
- 100% Email Infrastructure — all three domains route through Microsoft 365 / Exchange.

Stronger identity scores on corporate alias domains do not undo a 368k-record HR leak — but weak 15% transport still leaves room for downgrade attacks on breach-notification and payroll-update email.
Audit links:
Priority Actions
If you are a current or former JCPenney employee:
- Check Have I Been Pwned for exposure.
- Place fraud alerts or credit freezes via IdentityTheft.gov — SSN exposure warrants immediate action.
- Be skeptical of urgent payroll, W-2, or HR benefits emails; verify through jcpenney.com or your known HR portal directly.
- File taxes early if you have not yet filed for 2026 — stolen SSNs are commonly used for refund fraud.
For retailers and HR platform owners:
- Inventory internet-facing PeopleSoft endpoints; patch and segment HR systems from general corporate mail.
- Deploy DMARC
p=rejectand MTA-STSmode=enforceto reach the 100% ideal on both identity and transport. - Segment payroll exports and monitor bulk downloads from ERP environments.
Related Trackers
- Have I Been Pwned 2026 tracker
- Hospitality & retail breaches
- Ralph Lauren / ShinyHunters (Jun 2026)
- American Tower / ShinyHunters (Jul 2026)
- Moody Bible Institute / PeopleSoft (Jul 2026)
- Ransomware threat landscape
- Breach monitoring guide
Protect employee, customer, and vendor correspondence.
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for DMARC enforcement, MTA-STS deployment, and incident response planning.
Sources: HIBP — JCPenney · BreachNews — ShinyHunters multi-victim release · DeXpose — Catalyst Brands campaign · Cyber Indemnity — PeopleSoft HR leak · EmailMeNow audit — jcpenney.com