Kohl’s Didn’t Even Try to Keep Your Personal Information Secure

The Breach: A Twelve-Day Open Window Into 4.25 Million Lives

Kohl’s handed your personal data to a debt collector, that debt collector left the door wide open, and hackers had twelve days to take whatever they wanted. Here is the documented sequence of events.

• Kohl’s operates more than 1,100 retail stores across the United States and sells its own credit cards, requiring customers to submit sensitive personal information as a condition of opening an account.
• Kohl’s used Financial Business and Consumer Solutions, Inc. (FBCS), a nationally licensed debt collection agency, to pursue unpaid credit card balances. This arrangement required Kohl’s to transfer customer PII, including names, Social Security numbers, and dates of birth, directly to FBCS.
• Between February 14 and February 26, 2024, an unauthorized actor had active access to FBCS’s computer network. The attacker had the ability to view or acquire any information on the FBCS system during those twelve days.
• FBCS discovered the breach on February 26, 2024, according to its own filing with the Office of the Maine Attorney General. It did not notify consumers until April 26, 2024, two months after discovery.
• The Maine AG filing confirms the total scope: 4,253,394 individuals had their PII exposed in this breach. The data accessed included names or other personal identifiers combined with driver’s license numbers or non-driver identification card numbers, acquired through external hacking.
• Kohl’s sent its own notice letters to affected customers beginning August 15, 2024, nearly six months after the breach was discovered. Those letters confirmed that affected information may have included name, Social Security number, date of birth, and account information including mailing address, email address, and partial account numbers.
• The class action complaint estimates the Kohl’s-specific subset of affected people at approximately 1,955,385 individuals.
• At the time of the breach, the PII held by FBCS was unencrypted and unredacted. The complaint states this directly: the attacker “accessed and acquired files containing unencrypted PII of Plaintiff and Class Members.”

What It Actually Feels Like to Learn Kohl’s Gave Away Your Social Security Number

Michael Martinez is a person from Arizona. He opened a Kohl’s credit card. He did what millions of ordinary people do every year: he handed over his name, his Social Security number, his date of birth, and his address to a large corporation because that is the price of participation in American consumer life. He took reasonable precautions. He never sent his PII unencrypted over the internet. He kept his documents secure. He chose unique passwords. He did everything right.

Then, on August 15, 2024, a letter arrived from Kohl’s. It told him that a debt collection agency he had never heard of, a company called FBCS, had been hacked earlier that year. It told him his name, his Social Security number, his date of birth, his email address, his mailing address, and his account information may have been acquired by an unauthorized actor. It did not tell him why it happened. It did not tell him how it happened. It did not explain what FBCS’s security looked like before the breach or what it looked like after. It gave him no specific tools to understand the actual threat to his specific life.

What the letter left out is as important as what it included. The complaint filed in federal court documents this deliberate vagueness: “Omitted from both the Notice of Data Breach and the Kohl’s Notice are the details of the root cause of the Data Breach, the vulnerabilities exploited, and the specific remedial measures undertaken to ensure such a breach does not occur again.” Kohl’s knew exactly what happened inside those systems. Its customers were handed a sanitized version designed to convey the minimum legally required disclosure while protecting the company from further exposure.

The damage this causes is specific and it is lasting. Social Security numbers are not like credit card numbers. You cannot call a number and have a new one issued. That nine-digit sequence is attached to your identity at the federal level for your entire life. It connects to your tax records, your government benefits, your medical history, your credit profile, your employment record. A criminal who has it and is patient enough to wait one, two, or three years before using it can file a fraudulent tax return in your name, claim unemployment benefits you never applied for, or open lines of credit that will take years of dispute letters and bureaucratic nightmares to untangle. The GAO documented this reality directly: stolen data may be held for up to a year or more before being used, and once posted on the dark web, fraudulent use may continue for years.

In the meantime, you monitor. Every month, you check your credit reports. You set fraud alerts. You place credit freezes. You answer the phone with suspicion because scam calls have spiked since the breach. You delete phishing emails that seem to know your name. You budget for credit monitoring services, because the court filing estimates that cost at $200 per person per year for a minimum of five years. You spend time, time that belonged to your life, to your work, to your family, doing cleanup work for a mess that Kohl’s and FBCS created.

The complaint describes the plaintiff’s daily reality after the notice letter arrived: anxiety, sleep disruption, stress, fear, frustration, and a permanent, low-grade sense that someone, somewhere, has a piece of your identity and is deciding what to do with it. The lawsuit characterizes this plainly: “Such injuries go far beyond allegations of mere worry or inconvenience. Rather, Plaintiff’s injuries are precisely the type of injuries that the law contemplates and addresses.”

What makes this particular breach especially corrosive is that Kohl’s customers had no say in the decision to send their data to FBCS. The plaintiff states he would not have opened a Kohl’s credit card account had he known that Kohl’s would hand his sensitive information to third-party vendors without first verifying that those vendors had adequate security practices. The customer had no ability to protect PII that was transferred without their meaningful knowledge or consent. The choice was made for them by a corporation optimizing for debt collection efficiency and not for data security.

Over 1.9 million people received some version of that letter. Each of them is now carrying a lifetime exposure they did not choose. Kohl’s profited from the credit card program that generated the debt. Kohl’s profited from using a cheaper third-party collector rather than investing in secure in-house processes. Kohl’s saved money by not adequately vetting FBCS’s security practices. And Kohl’s customers are paying for that savings with their peace of mind, their time, and their permanent vulnerability to identity theft.

What the Documents Actually Say: Verbatim From the Record

These are direct quotes from the complaint and from official government filings. Not paraphrased. Not characterized. The words as written.

“On February 26, 2024, FBCS discovered unauthorized access to certain systems in its network. This incident did not impact computer systems outside of FBCS’s network. We immediately took steps to secure the impacted environment and launched an investigation with the assistance of third-party computer forensics specialists to determine the full nature and scope of the incident. The investigation determined that the environment was subject to unauthorized access between February 14 and February 26, 2024, and the unauthorized actor had the ability to view or acquire certain information on the FBCS network during the period of access.”

— FBCS Notice of Data Event, filed with the Office of the Maine Attorney General

“What Happened? On February 26, 2024, FBCS discovered unauthorized access to certain systems in its network. This incident did not impact Kohl’s own network or systems. Based on FBCS’s investigation, an unauthorized actor accessed FBCS’s environment between February 14 and February 26, 2024. FBCS also stated as of July 10, 2024, it determined that the information of individuals, including you, may have been acquired by the unauthorized actor during the incident.”

“What Information Was Involved? The information for affected individuals varied and may have included name, Social Security number, date of birth, and account information (mailing address, email address, partial account numbers).”

— Kohl’s Notice of Data Breach, sent beginning August 15, 2024 (Exhibit A to the Complaint)

“Kohl’s enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff and Class Members’ PII. Instead of providing a reasonable level of security that would have prevented the Data Breach, Kohl’s instead calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures.”

— Class Action Complaint, Count III (Unjust Enrichment), ¶182

“Defendant failed to meet the minimum standards of any of the following frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5, PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center for Internet Security’s Critical Security Controls (CIS CSC).”

— Class Action Complaint, ¶72

“Plaintiff has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from his PII, especially his Social Security number, being placed in the hands of criminals that will continue for his lifetime.”

— Class Action Complaint, ¶119

The Downstream Damage: Public Health and Economic Inequality

Public Health: The Psychological Cost of Permanent Exposure

Identity theft and data breach victimization are documented sources of chronic psychological harm. The complaint establishes specific mental health impacts for the named plaintiff, and these map onto what research confirms occurs across breach victims generally.

• The named plaintiff, Michael Martinez, is documented as suffering anxiety, sleep disruption, stress, fear, and frustration as a direct and proximate result of the breach notification and the ongoing uncertainty about how his data is being used.
• The complaint documents a spike in scam calls and text messages experienced by the plaintiff after the breach, a documented phishing vector in which criminals use breach-acquired data to socially engineer additional information from victims. Every unsolicited call or text is a reminder of the violation and a fresh mental health stressor.
• The psychological burden of ongoing monitoring is chronic: victims must check credit reports, dispute fraudulent charges, place fraud alerts, and sustain a low-grade state of financial vigilance indefinitely. The GAO describes this as victims facing “substantial costs and time to repair the damage to their good name and credit record,” which the complaint cites directly as evidence of concrete harm.
• The harm is not distributed equally across the class. Victims without financial literacy, without internet access to monitor accounts, without English fluency to navigate dispute systems, or without the free time to spend on mitigation are disproportionately harmed. Kohl’s customer base skews toward working-class and middle-class households; these are not people with financial advisors or personal lawyers to manage the fallout.
• Social Security number theft specifically enables fraud in healthcare and government benefits. A criminal can use a stolen SSN to receive medical services under a victim’s name, contaminating that victim’s medical records with false diagnoses and procedures. These medical record contaminations can directly harm future healthcare, insurance eligibility, and treatment decisions.

Economic Inequality: Who Gets to Recover and Who Doesn’t

The financial consequences of this breach land hardest on people who were already operating with the thinnest margins, and the remediation options available to wealthier people are not equally accessible.

• The complaint estimates credit and identity theft monitoring costs at approximately $200 per person per year for a minimum of five years. That is $1,000 over five years that affected Kohl’s customers must spend to protect themselves from a risk that Kohl’s created. For a household already living paycheck to paycheck, that is a real financial injury.
• Stolen Social Security numbers enable fraudulent tax filings. A victim only discovers this when they file their authentic tax return and it is rejected by the IRS as a duplicate. Resolving tax identity theft requires filing IRS Form 14039, providing documentation, and waiting months or years for resolution, during which the victim may be unable to receive their legitimate refund. For households depending on that refund to pay bills, this delay is an economic emergency.
• The “Fullz” package market is described in the complaint as a way for criminals to aggregate stolen PII with other data points to create complete identity dossiers. These packages sell on the dark web for up to $100 or more per record. When applied to 1.9 million Kohl’s customers, the potential criminal revenue from selling this class’s data runs into the hundreds of millions of dollars, a financial benefit realized by criminals at the direct expense of ordinary consumers.
• Fraudulent loans and credit lines opened in a victim’s name damage credit scores. Lower credit scores increase the cost of borrowing for housing, vehicles, and emergencies. For working-class households without substantial savings, a damaged credit score can deny access to a rental apartment, increase car insurance premiums, and close off access to small-business loans. These cascading effects can follow a victim for a decade after the initial fraud.
• Victims who cannot afford ongoing credit monitoring or who lack the time and resources to navigate dispute processes are exposed for longer and suffer deeper damage. The burden of remediation is systematically more crushing for lower-income households, while the root cause, Kohl’s decision to underinvest in vendor security, benefited the corporation’s bottom line regardless of the customer’s income level.
• The dark web data brokerage industry was worth approximately $200 billion in 2019, according to the complaint. The data Kohl’s customers were forced to provide as a condition of service has genuine market value. That value was transferred to criminals without any compensation to the individuals whose data was sold. The complaint characterizes this as a direct economic loss: “this transfer of value occurred without any consideration paid to Plaintiff or Class Members for their property, resulting in an economic loss.”

The Math Kohl’s Made

What You Can Do: Watchlist, Actions, and Demands

Kohl’s is a Wisconsin corporation headquartered in Menomonee Falls, Wisconsin. The case is before the Eastern District of Pennsylvania. The people in the positions responsible for these decisions are corporate roles; the complaint does not name individual executives. Here is who to watch and what to demand.

Corporate Roles on Notice

• Kohl’s Chief Executive Officer: Responsible for the corporate direction that resulted in inadequate vendor vetting and data security investment.
• Kohl’s Chief Information Security Officer (CISO): Directly accountable for the failure to implement NIST Cybersecurity Framework standards, encrypt customer PII, and audit third-party vendor security before transferring sensitive data.
• Kohl’s Board of Directors: Responsible for oversight of risk management practices, including data security investment decisions and the cost-cutting that the complaint alleges generated unjust enrichment at customers’ expense.
• FBCS Leadership: The debt collection agency that stored Kohl’s customers’ PII unencrypted and allowed it to be exfiltrated. FBCS waited two months after discovering the breach before notifying consumers.

Regulatory Watchlist

• The Federal Trade Commission (FTC) has authority to pursue enforcement actions against businesses that fail to employ reasonable data security measures under Section 5 of the FTC Act, 15 U.S.C. § 45. The complaint explicitly cites Kohl’s failure to comply with FTC guidelines as a basis for negligence per se. File a complaint at ftc.gov/complaint.
• The Consumer Financial Protection Bureau (CFPB) oversees debt collection practices, including the practices of companies like FBCS that collect consumer debts. FBCS’s handling of sensitive financial data falls within CFPB’s regulatory scope. File a complaint at consumerfinance.gov/complaint.
• The Office of the Maine Attorney General already received the FBCS data breach filing that forms the evidentiary backbone of this lawsuit. Other state attorneys general with jurisdiction over affected residents can and should receive complaints. The Maine AG filings in this case are public record.
• The Department of Justice (DOJ) and the FBI’s Internet Crime Complaint Center (IC3) handle federal cybercrime enforcement. The underlying hack is a federal crime. Victims can file reports at ic3.gov.

Protect Yourself Right Now

• Place a credit freeze with all three major bureaus: Equifax, Experian, and TransUnion. A credit freeze is free and prevents new accounts from being opened in your name. This is the single most effective step you can take. A fraud alert is a weaker version; go for the full freeze.
• File an Identity Theft Report with the FTC at identitytheft.gov. This generates an official document you can use with banks, creditors, and the IRS to dispute fraudulent accounts and charges.
• Request your free annual credit reports from annualcreditreport.com and check all three bureaus for accounts you do not recognize. Do this now and repeat every few months.
• Contact the IRS and request an IP PIN (Identity Protection Personal Identification Number) at irs.gov/identity-theft-fraud-scams. This prevents anyone from filing a tax return using your Social Security number without that PIN.
• If you received a Kohl’s breach notice letter and you believe you are a class member, document everything: keep the letter, keep records of time spent on mitigation, keep records of any fraudulent activity or suspicious communications. This documentation supports your claim in the class action.
• Connect with local community mutual aid organizations and financial literacy programs. Volunteer income tax assistance (VITA) sites can help you navigate IRS identity theft resolution for free. Nonprofit credit counseling agencies can help you dispute fraudulent debts without paying for commercial services.
• Pressure your state legislature to pass stronger data breach notification laws requiring faster consumer notification (not months), mandatory disclosure of breach root causes, and minimum encryption standards for any company handling consumer PII. Contact your state representative directly.
• Support and amplify the class action. Cases like this move faster and result in stronger remedies when public attention stays on them. The named law firms representing the class are: Ahdoot & Wolfson, PC; Kopelowitz Ostrow P.A.; Levin Sedran & Berman, LLP; and Morgan & Morgan Complex Litigation Group.