HomeIntelligenceBrief
BREACH BRIEF🟠 High Breach

JCPenney HR Data Breach Exposes 368 K Employee Records via Oracle PeopleSoft Zero‑Day

A ShinyHunters extortion campaign leaked personal data of 368 K current and former JCPenney employees after exploiting a zero‑day in Oracle PeopleSoft. The exposure of SSNs, DOBs and contact details triggers SOC 2 privacy and GDPR/CCPA requirements, underscoring the need for continuous consent and DSAR readiness.

LiveThreat™ Intelligence · 📅 June 20, 2026· 📰 haveibeenpwned.com
🟠
Severity
High
BR
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
haveibeenpwned.com

JCPenney HR Data Breach Exposes 368 K Employee Records via Oracle PeopleSoft Zero‑Day

What Happened — In June 2026 a “pay‑or‑leak” extortion campaign by the ShinyHunters group published data stolen from JCPenney after exploiting a critical zero‑day vulnerability in Oracle PeopleSoft. The breach disclosed personal and corporate information for current and former employees, including email addresses, dates of birth, Social Security numbers, phone numbers and home addresses.

Why It Matters for Compliance & Audit Readiness

  • The incident triggers the SOC 2 Privacy principle and any applicable GDPR/CCPA obligations because protected personal data was exposed.
  • Continuous evidence of consent management, data‑subject‑request (DSAR) handling, and privacy‑control monitoring is essential to demonstrate readiness during an audit.
  • Verisq’s CookiePLUS capability provides the automated consent‑capture, DSAR workflow, and privacy‑control evidence needed to close the audit gap exposed by this breach.

Who Is Affected – Retail organizations with large employee bases; HR and payroll systems that store PII; any third‑party that integrates with PeopleSoft or similar ERP/HCM platforms.

Recommended Actions

  • Map the exposed data elements to SOC 2 privacy controls (CC6.1, CC6.2) and verify that consent records exist for each data type.
  • Initiate a DSAR readiness review: confirm you can locate, retrieve, and delete or rectify employee data on demand.
  • Deploy continuous monitoring of ERP/HCM configurations for unpatched vulnerabilities and maintain audit‑ready evidence of patch status.

Source: Have I Been Pwned – JCPenney breach

Technical Notes – The attack leveraged a zero‑day exploit in Oracle PeopleSoft, a widely used ERP/HCM suite. Stolen fields included names, SSNs, DOBs, phone numbers, home addresses, job titles, usernames and corporate email addresses. Source: same as above

📰 Original Source
https://haveibeenpwned.com/Breach/JCPenney

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →