We research all brands listed and may earn a fee from our partners. Research and financial considerations may influence how brands are displayed. Not all brands are included. Learn more.

  1. Identity Theft
  2. Identity Theft Protection

Weekly Scam Alert: JCPenney Hack Allegedly Exposed Social Security Numbers

By: Gabriel O. Rodriguez Cruz
Gabriel O. Rodriguez Cruz, expert in Translation, Crypto, Computer Software and Hardware, and Associate Editor at Money
Gabriel O. Rodriguez Cruz
Associate Editor | Joined February 2018
Gabriel Rodríguez is an editor at Money who covers financial technology and digital security. His two main topics of expertise are identity theft protection services and crypto, specifically crypto wallet and crypto exchanges.
See full bio
Editor: Kaitlin Mulhere
Kaitlin Mulhere, expert in Student loans, college costs, debt management, and Editor at Money
Kaitlin Mulhere
Editor | Joined April 2015
Kaitlin Mulhere is an editor at Money.com. Since joining in 2015, she’s written and edited about a variety of personal finance topics, including banks, credit, student debt, saving strategies and more.
See full bio
Published: Jun 15, 2026 5:33 p.m. EDT 9 min read
Illustration depicting two fish as they avoid being lured by different scams
Rangy García for Money

You may want to keep a close eye on your credit if you've ever worked or shopped at JCPenney. The criminal hacking group ShinyHunters claimed last week that it stole hundreds of thousands of records from the department store chain along with several other well-known retail brands operating under Catalyst Brands and Authentic Brands Group.

The hacking group posted the alleged breach on its leak site on Friday, warning that the affected companies had until Monday to make contact before the data was disclosed.

JCPenney has not publicly responded to the claim, and ShinyHunters has not published any samples to verify it. Nonetheless, what the group says it has is alarming: Social Security numbers, dates of birth, W-2 tax records, payroll information, physical scans of government-issued IDs and driver's licenses, and other personally identifiable information. It's not clear yet if the stolen data only affects employees (and former employees) or whether customer data was also included.

While passwords are easy to change in aftermath of a possible hack, Social Security numbers and government IDs are not. They remain valid for years and are among the most useful tools available to an identity thief. What’s more, stolen W-2s and payroll records can fuel more convincing phishing attacks by providing detailed personal and employment information.

ShinyHunters’ claim hasn't been confirmed, but their track record gives it some credibility. The group has been tied to major data-theft and extortion campaigns, including a large cyberattack on Salesforce last year that rippled out to numerous other companies and breaches at Ticketmaster, AT&T, Canvas and Rockstar Games.

For now, it’s best to stay alert and take additional precautions if you have an account at JCPenney or other retail brands connected to Catalyst Brands and Authentic Brands Group, such as Aéropostale, Brooks Brothers, Lucky Brand and Nautica. Consider freezing your credit, watch for breach alerts and keep an eye on any unusual tax or payroll-related correspondence in the coming days.

Where People Are Protecting Their Privacy Online Right Now

Other current scams to watch out for

Mortgage relief scheme

The Federal Trade Commission (FTC) announced last week that it's returning nearly $3 million to consumers deceived by a mortgage relief scheme that operated under a web of names, including Golden Home Services, Home Matters USA and Academy Home Services. These fraudulent companies falsely promised to reduce homeowners’ mortgage payments and prevent foreclosures, taking millions of dollars from people who were already struggling financially. A federal court banned the companies and their operators from telemarketing and debt relief businesses.

Now, the FTC is mailing checks to 1,821 affected consumers, and recipients have 90 days to cash them. If you think you may be eligible, contact the refund administrator, JND Legal Administration, at 1-833-674-0067. Remember that the FTC will never ask you to pay anything to receive a refund.

Fake VA postcards

The Department of Veterans Affairs (VA) is warning veterans about a new postcard scam where fraudulent mailers claim the recipient or their spouse is entitled to extra VA benefits — including additional health care and dental coverage — regardless of their disability rating. The postcards are designed to look official and instruct veterans to call a number quickly, sometimes within five days. According to the VA, the goal is to get recipients on the phone, where scammers may flatter them for their military service before trying to collect sensitive information like your Social Security number, bank account details or other personal data.

The VA says veterans should not call unverified numbers on suspicious postcards and should hang up immediately if they receive unsolicited calls asking for personal or financial information. Do not trust benefit offers that arrive out of the blue — especially if they pressure you to respond quickly — or call the number listed on a suspicious postcard. Instead, verify benefit questions directly with VA by calling 1-800-827-1000. Veterans who suspect fraud can report it through VSAFE.gov or by calling 1-833-38V-SAFE.

Where People Are Protecting Their Privacy Online Right Now

Protect your digital life: See Lifelock's current identity theft plans and get your first year of the standard plan for just $7.99 a month

The most common types of scam you should know

Scammers are constantly upping their game, coming up with new and exciting ways (for them) of fooling their targets. AI-powered scams are one example of this; the technology is being used to reach a larger number of people with increasingly more convincing schemes

But some tricks never run out of style. Most scams fall into a handful of familiar patterns, and many long-standing schemes are still a threat today. They’ve just evolved to better fit today’s digital landscape

  1. Imposter scams: Scammers often pose as trusted figures such as government agencies, banks, employers and even friends or family to pressure victims into sending money or sharing personal information
  2. Phishing and spoofing scams:
 These scams use emails, texts or phone calls that look like they’re from legitimate organizations. The goal is to trick you into clicking a malicious link, downloading malware or handing over sensitive information
  3. Online shopping scams: Fraudsters can create fake online stores or listings with hard-to-find items at unusually low prices. After you pay for an article, what you end up getting might be counterfeit — or it may never arrive in the first place
  4. Investment scams: This type of scam often arrives with promises of high returns from crypto, forex or other “exclusive” opportunities. Many involve long-term grooming tactics in which victims are encouraged to invest more over time before losing everything
  5. Romance scams: Some scammers try to get into your pocket through the heart. They build a relationship with you on dating apps or social media, then convince you to give up money and assets by fabricating emergencies or investment opportunities

Plans for everyone: Check out Aura's identity theft options for you and your family, starting at $9 a month when you pay annually

What to do if you’re the target — or victim — of a scam

No one is immune to scams or fraud, but a few consistent habits can reduce their danger and the damage they cause

For starters, be skeptical of unsolicited messages, especially those creating fear or urgency. This might look like an email from your bank threatening to close an account, a text from an online marketplace saying you’ll lose a discount or a call from the IRS claiming they’ll report you to the authorities unless you “act now.”

Scammers love to use this sort of language because it puts you on the spot, which they expect will move you to action

Always verify any requests from an organization by cross-checking with its official phone numbers, email or website. And don’t click any links, download attachments or respond to messages you suspect may be fraudulent. A legitimate organization will not pressure you for instant action or secrecy

Now, if you’ve already sent financial information or money to someone you suspect is a scammer, you’ll need to take a few steps to protect your data and possibly get your money reimbursed. Contact your bank, credit card issuer or payment platform immediately and attempt to stop or reverse the transactions. Make sure to change any relevant passwords and enable multi-factor authentication to safeguard your accounts, too.

Reporting a scam might also help protect others. You can file a report with the Federal Trade Commission and with local authorities at your nearby police department or sheriff’s office. Identity theft victims should also consider temporarily freezing their credit

Lastly, review your financial statements and credit reports regularly, keep your software updated and limit how much personal information you share online. Scammers often rely on publicly available details to make their schemes more convincing

More from Money

How to Protect Yourself From Card Skimmers at ATMs and Gas Pumps

Best Identity Theft Protection Services

Best Credit Monitoring Services