JCPenney and associated brands are tied to a June 2026 data leak indexed by leaksear.ch, with 138,226 normalized HR-related records recovered from employee, candidate, payroll, banking, and HR exports and a breach date listed as June 1, 2026 (leaksear.ch metadata). Public reporting and Have I Been Pwned connect the exposure to ShinyHunters' Oracle PeopleSoft extortion campaign, with the published data described as mainly internal HR records affecting current and former employees (haveibeenpwned.com).
What happened
JCPenney and SPARC Group announced in January 2025 that they had combined to form Catalyst Brands, bringing JCPenney and several retail brands under one organization (corporate.jcpenney.com). In June 2026, Cybernews and DeXpose reported that ShinyHunters added JCPenney and brands associated with Catalyst Brands and Authentic Brands Group to its leak site, claimed hundreds of thousands of records, and set a mid-June deadline before release; Cybernews noted at the time that no samples had been published and that the scope and authenticity remained unconfirmed pending a company response (cybernews.com, www.dexpose.io).
By June 17, BreachNews reported that ShinyHunters had allegedly moved JCPenney and several other victims from extortion listings to release listings. Have I Been Pwned later published a JCPenney breach page stating that data allegedly obtained through exploitation of an Oracle PeopleSoft zero-day was published publicly and primarily related to internal HR systems (breachnews.com, haveibeenpwned.com).
Mandiant and Google Threat Intelligence Group attributed the broader PeopleSoft campaign to UNC6240, ShinyHunters, observed it between May 27 and June 9, 2026, and assessed that CVE-2026-35273 was exploited as a zero-day before Oracle's June 10 advisory. Oracle's alert says CVE-2026-35273 affects PeopleSoft PeopleTools, is remotely exploitable without authentication, and may result in remote code execution (cloud.google.com, www.oracle.com).
What data was exposed
leaksear.ch indexed 138,226 normalized records tied to JCPenney and associated brands (leaksear.ch metadata). The searchable fields in this index are address, country, date of birth, email address, name, phone number, and username; stored non-searchable context includes source file references, source row numbers, and source-value audit metadata (leaksear.ch metadata).
The source archive is described as employee, candidate, payroll, banking, and HR exports, but the supplied index metadata does not identify a specific bank-account field as a searchable pivot (leaksear.ch metadata). Have I Been Pwned separately lists 368 thousand affected accounts and describes exposed categories including dates of birth, email addresses, government-issued IDs, job titles, names, phone numbers, physical addresses, and usernames; Cybernews reported the threat actor's claim also referenced Social Security numbers, W-2 tax records, payroll information, driver's licenses, and scans of government-issued identity documents (haveibeenpwned.com, cybernews.com).
Why this matters
For individuals, a cluster of name, home address, phone number, email address, date of birth, and username can support convincing impersonation, account-recovery attempts, and payroll or benefits-themed phishing. If Social Security numbers, tax records, or government ID material are present in portions of the data as public sources report, impacted people face longer-lived identity and tax-fraud risk because those identifiers cannot be reset like passwords (haveibeenpwned.com, cybernews.com). Security teams should treat the exposure as HR-data loss, warn affected populations about targeted phishing, and verify PeopleSoft patch status and incident logs where relevant. If you are a current or former JCPenney or associated-brand employee or job candidate, use the exposure check on this page to see whether your data appears in the leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, phone, and username.
Sources
- Have I Been Pwned: JCPenney Data Breach
- Cybernews: ShinyHunters claim JCPenney retail data theft involving SSNs and payroll files
- DeXpose: ShinyHunters Breaches JCPenney and Catalyst Brands
- BreachNews: ShinyHunters Publishes Alleged Data From American Tower, JCPenney, Ralph Lauren and Other Victims
- Google Cloud Blog: ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
- Oracle: Oracle Security Alert Advisory - CVE-2026-35273
- JCPenney Newsroom: SPARC Group Has Merged with JCPenney To Form Catalyst Brands