Corporate Misconduct Accountability Project
Kohl’s, Inc. · Class Action Lawsuit
Kohl’s Faces Class Action Over Data Breach Exposing 4.2M Customers
Major retailer allegedly failed to protect customers’ Social Security numbers and personal data after vendor FBCS was hacked, then delayed notifying victims for months.
CRITICAL SEVERITY
TL;DR
Kohl’s is accused of failing to protect the personal information of over 4.2 million customers after its debt collection vendor, FBCS, suffered a data breach in February 2024. Hackers accessed unencrypted Social Security numbers, birth dates, and account information for nearly two weeks before detection. Kohl’s waited until August 2024 to notify affected customers, leaving them vulnerable to identity theft for months.
This breach shows how retailers prioritize cost-cutting over customer safety, leaving millions at lifelong risk of fraud.
4.25M
Customers whose personal data was exposed
12 days
Duration hackers had access to systems
6 months
Delay before Kohl’s notified customers
1,100+
Kohl’s retail locations across U.S.
The Allegations: A Breakdown
Core Allegations
What Kohl’s did wrong · 8 points
| 01 | Kohl’s failed to adequately vet its debt collection vendor FBCS before handing over millions of customers’ Social Security numbers, birth dates, and account information. The complaint alleges Kohl’s did not verify FBCS maintained adequate data security practices. | high |
| 02 | The company stored customer data without encryption or redaction, leaving highly sensitive information vulnerable. Hackers accessed unencrypted personal data including Social Security numbers during a 12-day intrusion from February 14 to February 26, 2024. | high |
| 03 | Kohl’s delayed notifying affected customers for nearly six months after FBCS discovered the breach on February 26, 2024. Notice letters did not go out until August 15, 2024, preventing victims from taking protective action. | high |
| 04 | The retailer continued to maintain customer PII longer than necessary and failed to delete or archive inactive data files. This practice increased the volume of exposed records when the breach occurred. | medium |
| 05 | Kohl’s failed to implement industry-standard security measures including firewalls, anti-virus software, multi-factor authentication, and employee training. The company did not comply with FTC cybersecurity guidelines or NIST frameworks. | high |
| 06 | The company did not establish adequate monitoring systems to detect the breach in a timely manner. FBCS systems were compromised for 12 days before discovery, giving hackers extended access to customer data. | medium |
| 07 | Kohl’s failed to ensure FBCS had procedures in place to delete sensitive customer information after it was no longer required for debt collection purposes. This violated promises to keep data confidential and properly dispose of it. | medium |
| 08 | The retailer did not provide customers with complete information about the breach’s root cause, vulnerabilities exploited, or specific remedial measures taken. The notice letters were vague and failed to help victims properly assess their risk. | medium |
Regulatory Failures
How oversight fell short · 6 points
| 01 | Kohl’s violated Section 5 of the Federal Trade Commission Act by failing to use reasonable measures to protect customer data. The FTC prohibits unfair practices including inadequate data security, yet enforcement remained absent. | high |
| 02 | The company ignored FTC guidelines published in October 2016 that require businesses to encrypt stored information, limit data retention, use complex passwords, and verify third-party vendors implement reasonable security measures. | high |
| 03 | Kohl’s failed to meet minimum standards of established cybersecurity frameworks including NIST Cybersecurity Framework Version 1.1 and the Center for Internet Security’s Critical Security Controls. These are recognized industry standards for data protection. | medium |
| 04 | The patchwork of state data breach laws allowed Kohl’s to delay notification and provide minimal details. Different state requirements created loopholes that companies exploit to reduce legal liability. | medium |
| 05 | No federal regulator took action despite the breach affecting 4.25 million people. The complaint was filed in October 2024 with no reported FTC enforcement or penalty against Kohl’s as of that date. | high |
| 06 | Industry lobbying has prevented strict federal data privacy legislation, leaving consumers vulnerable. The U.S. lacks comprehensive data protection laws comparable to Europe’s GDPR, which imposes meaningful fines for breaches. | medium |
Profit Over People
How cost-cutting enabled the breach · 6 points
| 01 | Kohl’s outsourced debt collection to FBCS to reduce overhead costs rather than building an in-house operation with proper security controls. This business decision prioritized profit margins over customer data protection. | high |
| 02 | The company calculated that investing in robust cybersecurity was less profitable than risking a breach. Kohl’s avoided costs for encryption, vendor audits, security personnel, and monitoring systems that could have prevented the intrusion. | high |
| 03 | Kohl’s derived substantial economic benefit from collecting and using customer PII for credit card services, yet failed to allocate adequate resources to protect that data. The company profited from data collection while externalizing security costs onto consumers. | high |
| 04 | By failing to delete old customer records, Kohl’s and FBCS maintained a larger database that was potentially useful for future marketing or analytics. This data hoarding created a massive single point of vulnerability when hackers struck. | medium |
| 05 | The retailer weighed the cost of potential lawsuits and settlements against the expense of proper security measures and chose the cheaper option. Historical data breach settlements are often a small fraction of what robust security would cost. | medium |
| 06 | Kohl’s top executives and shareholders remain insulated from personal liability for the breach. The company can treat legal settlements as a manageable cost of doing business while continuing data collection practices unchanged. | medium |
Economic Fallout
Who really pays the price · 7 points
| 01 | Victims face lifelong identity theft risk because Social Security numbers never expire and can be used for fraud decades later. The complaint notes stolen data may be held for a year or more before criminals use it to commit identity theft. | high |
| 02 | Affected customers must spend dozens or hundreds of hours monitoring accounts, freezing credit, disputing fraudulent charges, and correcting credit reports. This lost time represents significant economic damage that falls entirely on victims, not Kohl’s. | high |
| 03 | Customers’ personal data now circulates on dark web marketplaces where criminals pay $40 to $200 for PII records. Complete identity packages with Social Security numbers can sell for up to $363 per record, creating ongoing profit for cybercriminals. | high |
| 04 | Lower-income victims face disproportionate harm from identity theft. A single fraudulent payday loan or false charge can trigger late fees, denied credit applications, and financial crisis for families living paycheck to paycheck. | high |
| 05 | The compromised data loses its value to victims while gaining value to criminals. Customers’ PII has inherent market value that was transferred to hackers without compensation, resulting in direct economic loss. | medium |
| 06 | Victims may face unexpected denial of mortgages, car loans, or employment due to fraudulent accounts opened in their names. These denials can occur years after the breach when customers have no reason to connect the problem to Kohl’s negligence. | high |
| 07 | Class members experience increased spam calls, phishing emails, and text message scams. Criminals use stolen names and contact information to target breach victims with social engineering attacks designed to extract additional sensitive data. | medium |
Corporate Accountability Failures
Why no one takes responsibility · 6 points
| 01 | Kohl’s deflected responsibility by emphasizing the breach occurred at FBCS, not in Kohl’s own systems. This corporate defense ignores that Kohl’s chose the vendor and provided the data without ensuring adequate protection. | high |
| 02 | The outsourcing arrangement created organized irresponsibility where each party points to the other. Kohl’s claims security was FBCS’s job, while FBCS follows Kohl’s instructions, leaving no clear accountability for the failure. | high |
| 03 | Kohl’s did not establish audit procedures or penetration testing to verify FBCS maintained proper security. The company had no system to detect that its vendor was vulnerable until after millions of records were stolen. | medium |
| 04 | The company provided only vague public statements saying it takes privacy seriously and is investigating, without detailing how the breach occurred or what specific changes would prevent recurrence. This PR approach controls the narrative while avoiding real transparency. | medium |
| 05 | Kohl’s offered limited free credit monitoring that fails to address the indefinite risk from compromised Social Security numbers. A year or two of monitoring does not protect victims from fraud that may occur decades later. | medium |
| 06 | No Kohl’s executives face personal consequences for the data security failure. The corporate structure shields individual decision-makers from liability even when their cost-cutting choices directly enabled the breach. | high |
Public Health and Safety
The hidden toll on victims · 5 points
| 01 | Breach victims suffer anxiety, sleep disruption, stress, fear, and frustration from knowing their Social Security numbers are in criminals’ hands. The complaint specifically identifies these as compensable harms beyond mere inconvenience. | high |
| 02 | The mental health impact of potential identity theft creates ongoing psychological burden. Victims must remain vigilant for years, constantly worrying whether the next call, letter, or credit denial stems from the stolen data. | medium |
| 03 | Identity theft victims face substantial costs to repair damage to their credit records and good name. The U.S. Government Accountability Office confirmed in 2007 that victims endure major time and financial burdens to recover from data breaches. | medium |
| 04 | Affected individuals experience invasion of privacy from the unauthorized exposure of their most sensitive personal information. This loss of privacy is a direct injury that cannot be fully remedied by monetary compensation. | medium |
| 05 | The breach’s health impacts may extend to physical manifestations of chronic stress including cardiovascular problems, weakened immune systems, and other stress-related conditions documented in identity theft victims. | low |
Exploiting Delay
How waiting made things worse · 5 points
| 01 | Kohl’s waited nearly six months after breach discovery to notify customers, from February 26 to August 15, 2024. During this period, victims could not freeze credit, monitor accounts, or take protective action against identity theft. | high |
| 02 | The notification delay allowed criminals to potentially sell or use stolen data while victims remained unaware. The complaint notes fraudulent use of stolen information may not be discovered until debt collection calls start months or years later. | high |
| 03 | By the time customers received notice, their data had likely already circulated on dark web marketplaces for months. Early notification could have allowed victims to place fraud alerts before criminals completed identity verification for new accounts. | high |
| 04 | The delay in disclosure minimized immediate PR damage and negative press coverage for Kohl’s. Consumer advocates question whether companies deliberately stall notification to control the news cycle and reduce public outcry. | medium |
| 05 | Kohl’s provided no explanation for why notification took so long beyond conducting an investigation. The company did not clarify whether law enforcement requested delay, leaving victims to wonder if the postponement served corporate interests over consumer protection. | medium |
The PR Machine
How Kohl’s controlled the narrative · 4 points
| 01 | Kohl’s emphasized that its own network was not impacted, attempting to distance itself from FBCS’s security failure. This messaging ignores that Kohl’s chose FBCS as a vendor and provided the customer data that was stolen. | medium |
| 02 | The company’s notice letters omitted details about the breach’s root cause, specific vulnerabilities exploited, and remedial security measures implemented. This lack of transparency prevents customers from assessing their true risk level. | high |
| 03 | Kohl’s likely issued standard corporate statements saying it takes privacy seriously and is cooperating with law enforcement. These boilerplate responses project responsibility without committing to specific, verifiable security improvements. | medium |
| 04 | The retailer may have compared this breach to other incidents to suggest it was not as severe. However, with 4.25 million affected individuals and Social Security numbers exposed, the scale is objectively massive. | low |
The Bottom Line
What this breach reveals · 6 points
| 01 | The Kohl’s data breach exemplifies how retailers prioritize short-term profit over customer data security. The company saved money by outsourcing to FBCS without ensuring adequate vendor oversight, then waited months to disclose the breach. | high |
| 02 | This case demonstrates systemic failure in U.S. data protection where corporations face minimal consequences for negligence. Without strong federal privacy laws or meaningful enforcement, breaches become a predictable cost of doing business rather than a deterrent. | high |
| 03 | Over 4.25 million people now face lifelong identity theft risk because Kohl’s failed to implement basic security measures like encryption. The victims, not the company, will bear the costs of credit monitoring, fraud resolution, and constant vigilance for years to come. | high |
| 04 | The outsourcing of debt collection created an accountability gap where Kohl’s blames FBCS and FBCS acts on Kohl’s instructions, leaving no one clearly responsible. This organized irresponsibility is a feature of modern corporate data handling, not a bug. | high |
| 05 | Unless regulatory frameworks impose severe financial penalties and mandatory security standards, corporations will continue underinvesting in data protection. The current system allows companies to weigh lawsuit settlements against security costs and choose the cheaper option. | high |
| 06 | This breach highlights how wealth disparity magnifies data breach harm. Lower-income victims who cannot easily afford credit monitoring or legal help will suffer disproportionate consequences from identity theft enabled by Kohl’s negligence. | medium |
Timeline of Events
February 14, 2024
Hackers gain unauthorized access to FBCS network systems containing Kohl’s customer data
February 26, 2024
FBCS discovers the breach after 12 days of unauthorized access; Kohl’s is informed
April 26, 2024
FBCS publicly announces the data breach in filing with Maine Attorney General
July 10, 2024
FBCS determines specific individuals affected, including Kohl’s customers
August 15, 2024
Kohl’s begins sending breach notification letters to affected customers
October 9, 2024
Michael Martinez files class action lawsuit against Kohl’s in U.S. District Court for Eastern District of Pennsylvania
Direct Quotes from the Legal Record
QUOTE 1
Kohl’s failed to encrypt sensitive data
allegations
“Defendant failed to adequately protect Plaintiff’s and Class Members’ PII—and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted PII was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect its customers’ sensitive data.”
💡 Encryption is a basic security measure that could have protected data even if hackers accessed systems.
QUOTE 2
Extended access period
allegations
“The investigation determined that the environment was subject to unauthorized access between February 14 and February 26, 2024, and the unauthorized actor had the ability to view or acquire certain information on the FBCS network during the period of access.”
💡 Hackers had 12 days to systematically copy millions of customer records before detection.
QUOTE 3
Massive scale of breach
economic
“In a filing with the Office of the Maine Attorney General, FBCS confirms that the PII of 4,253,394 individuals was exposed by the Data Breach.”
💡 Over 4.25 million people now face identity theft risk from this single security failure.
QUOTE 4
Kohl’s failed to vet vendor
profit
“Defendant also failed to adequately protect Plaintiff’s and Class Members’ PII by virtue of its failure to vet its vendors—here, FBCS—and ensure they were submitting PII to an entity with adequate data security practices and that its vendors were deleting or archiving inactive PII data and files.”
💡 Kohl’s handed over millions of Social Security numbers without verifying its vendor had proper security.
QUOTE 5
Lifelong risk to victims
economic
“The present and continuing risk to victims of the Data Breach will remain for their respective lifetimes.”
💡 Unlike credit cards that can be cancelled, Social Security numbers never expire and remain vulnerable forever.
QUOTE 6
Six month notification delay
delay_tactics
“On or about August 15, 2024, Kohl’s began sending out notice letters to its customers, stating that Kohl’s debt collection agency, FBCS, had experienced a data breach, which it discovered on February 26, 2024.”
💡 Kohl’s waited nearly six months to warn customers, preventing them from protecting themselves during that window.
QUOTE 7
Data sold on dark web
economic
“Plaintiff further believes his PII, and that of Class Members, was subsequently sold on the dark web following the Data Breach, as that is the modus operandi of cybercriminals that commit cyber-attacks of this type.”
💡 Stolen personal data typically enters black markets where criminals buy it to commit identity fraud.
QUOTE 8
FTC violation
regulatory
“Kohl’s violated Section 5 of the FTCA by failing to use reasonable measures to protect PII and not complying with applicable industry standards, as described in detail herein.”
💡 The company violated federal law by failing to implement basic data security measures.
QUOTE 9
Cost-cutting over security
profit
“Kohl’s enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff and Class Members’ PII. Instead of providing a reasonable level of security that would have prevented the Data Breach, Kohl’s instead calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.”
💡 Kohl’s deliberately chose not to invest in proper security to maximize profits.
QUOTE 10
Vague breach notice
pr_machine
“Omitted from both the Notice of Data Breach and the Kohl’s Notice are the details of the root cause of the Data Breach, the vulnerabilities exploited, and the specific remedial measures undertaken to ensure such a breach does not occur again.”
💡 Kohl’s refused to provide customers with information needed to assess their actual risk.
QUOTE 11
Value of stolen data
economic
“Conversely, sensitive PII can sell for as much as $363 per record on the dark web according to the Infosec Institute.”
💡 The stolen information has significant black market value, ensuring criminals will exploit it.
QUOTE 12
Victims bear the costs
economic
“As a direct and proximate result of Kohl’s negligence, Plaintiff and Class Members have suffered and will suffer injury, including but not limited to: (i) invasion of privacy; (ii) lost or diminished value of PII; (iii) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the Data Breach; (iv) loss of benefit of the bargain; (v) an increase in spam calls, texts, and/or emails; and (vi) the continued and certainly increased risk to their PII.”
💡 Customers pay the price in time, money, and stress while Kohl’s faces minimal consequences.
QUOTE 13
Ignored industry standards
regulatory
“Defendant failed to meet the minimum standards of any of the following frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC), which are all established standards in reasonable cybersecurity readiness.”
💡 Kohl’s failed to follow recognized cybersecurity frameworks that would have prevented the breach.
QUOTE 14
Emotional harm to victims
health
“Because of the Data Breach, Plaintiff has suffered—and will continue to suffer from—anxiety, sleep disruption, stress, fear, and frustration. Such injuries go far beyond allegations of mere worry or inconvenience.”
💡 Data breaches cause real psychological harm beyond financial losses.
QUOTE 15
Foreseeable consequences
accountability
“A breach of security, unauthorized access, and resulting injury to Plaintiff and Class Members was reasonably foreseeable, particularly in light of Kohl’s inadequate security practices.”
💡 Kohl’s knew or should have known its poor security would lead to a breach but chose not to act.
Frequently Asked Questions
What information was exposed in the Kohl’s data breach?
Hackers accessed names, Social Security numbers, dates of birth, mailing addresses, email addresses, and partial account numbers for over 4.25 million Kohl’s customers. This information was stored unencrypted on systems belonging to FBCS, a debt collection vendor.
When did the breach happen and when was I notified?
Hackers accessed the systems from February 14 to February 26, 2024, a 12-day period. FBCS discovered the breach on February 26, but Kohl’s did not begin notifying affected customers until August 15, 2024, nearly six months later.
Why did it take so long for Kohl’s to tell customers?
Kohl’s has not provided a clear explanation for the six-month delay. The company claims it was conducting an investigation, but consumer advocates question whether the delay was designed to minimize negative publicity and control the news cycle.
What can criminals do with my stolen information?
With your Social Security number, name, and date of birth, criminals can open credit cards, take out loans, file fraudulent tax returns, apply for unemployment benefits, or commit medical identity theft in your name. This stolen data sells for up to $363 per record on dark web marketplaces.
Am I at risk even if I have not seen fraud yet?
Yes. Identity theft can remain undetected for months or even years. Criminals often hold stolen data for extended periods before using it, and your Social Security number never expires, creating lifelong risk.
What is Kohl’s offering to help victims?
The lawsuit criticizes any limited credit monitoring offered as inadequate because it typically lasts only one or two years, while the risk from compromised Social Security numbers is permanent. The complaint argues this does not address the true scope of harm.
How did this breach happen?
The breach occurred at FBCS, a debt collection company Kohl’s hired. According to the lawsuit, Kohl’s failed to verify FBCS had proper security measures before handing over millions of customer records. FBCS stored the data without encryption, making it easy for hackers to steal.
Is Kohl’s being held accountable?
A class action lawsuit was filed in October 2024 seeking damages and requiring Kohl’s to improve security practices. However, no federal regulator has taken enforcement action as of the filing date.
What should I do to protect myself?
Place a freeze on your credit with all three bureaus (Equifax, Experian, TransUnion), monitor your credit reports for unauthorized accounts, consider filing your taxes early to prevent tax fraud, watch for suspicious calls or emails, and document any fraud immediately.
Can I join the class action lawsuit?
If you received a breach notification letter from Kohl’s, you may be included automatically in the class if it is certified. You can also contact the attorneys listed in the lawsuit (Ahdoot & Wolfson PC, Kopelowitz Ostrow PA, Levin Sedran & Berman LLP, or Morgan & Morgan) to learn about your options.
additional sources:
https://www.law360.com/articles/1888527/kohl-s-sued-after-vendor-hack-leaks-1-9m-customers-files
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
