In June 2026, JCPenney and associated brands were targeted by the ShinyHunters extortion group, who published data allegedly obtained from a critical zero-day vulnerability in Oracle PeopleSoft. The breach primarily impacted internal HR systems, exposing 368,418 current and former employee records. This data included corporate and personal email addresses, names, dates of birth, Social Security numbers, phone numbers, and home addresses.