A simple shopping trip with my parents turned into something I couldn’t ignore.
On March 17, 2026, while my parents were picking up a comforter set at Macy’s Santana Row, San Jose, CA, something on the shelf caught my eye. I asked my parents to zoom in, and what we found stopped us cold.
A returned online order had been restocked on the retail floor with its original shipping label fully intact and unredacted. A real customer’s full name, home address, and order number were clearly visible to anyone walking by. No scratch. No redaction. No protocol. Just someone’s personal data sitting on a store shelf in a busy Silicon Valley mall.
This Is Not Just a Legal Problem โ It’s a Cybersecurity Failure
Most people associate data breaches with hackers, ransomware, and stolen databases. But this is a textbook physical data breach โ no keyboard required. The exposure happened in the real world, in broad daylight, and the risks are just as serious.
The Threat Vectors Are Real
Identity Theft : Name + address is enough to start building a profile on a victim.
Social Engineering : A bad actor now knows the person’s name, where they live, and that they shop at Macy’s โ perfect ingredients for a targeted phishing or vishing attack.
Package Theft / Stalking : A home address on a public shelf is a gift to porch pirates and worse.
Account Takeover : Order number + name can be used to call Macy’s customer service and attempt to access the account.
In cybersecurity terms this is a data lifecycle management failure โ a gap in the returns and restocking process that frameworks like NIST, ISO 27001, and SOC 2 explicitly require organizations to address. Macy’s had no visible Standard Operating Procedure to sanitize returned shipments before they re-entered the sales floor.
Laws Potentially Violated
This incident implicates five California statutes โ CCPA (Cal. Civ. Code ยง1798.100+), CPRA (Prop 24), California Data Breach Notification Law (ยง1798.82), Shine the Light Law (ยง1798.83), and the Unfair Competition Law (Bus. & Prof. Code ยง17200). Under these laws, Macy’s may be legally obligated to locate and notify the affected customer without delay. Penalties can reach $7,500 per intentional violation.
What Macy’s Should Do โ Right Now
Locate the returned item using the order number on the label. Identify and notify the affected customer immediately. Audit the returns restocking process across all locations. Implement a mandatory label removal or redaction step before any returned item touches the sales floor again.
Thanmay Sarath is a Mensa member, ethical hacker, entrepreneur, and technologist passionate about cybersecurity and innovation. A researcher, international speaker, and published author, he works at the intersection of technology, security, and social impact, helping organizations and communities stay safe in an increasingly digital world.