Retail Merchandising Services Data Breach Exposes 16,114 People

Retail Merchandising Services Inc., a national retail merchandising company based in Brooklyn Park, Minnesota, has disclosed a data breach that affected 16,114 people across the United States.

The company reported the breach to multiple state regulators on March 16, 2026. RMS discovered the preliminary results of its investigation on Feb. 25, 2026, and began notifying affected consumers electronically on March 16, 2026.

How the breach happened

In January 2026, RMS detected unusual activity within its email environment. The company said it took steps in response, including hiring specialists to conduct a thorough investigation.

That investigation found that one email account was intermittently accessed without authorization between Nov. 24, 2025, and Jan. 7, 2026. Because the email account may have contained personal information, RMS and third-party specialists reviewed the relevant portions of the account to determine what specific information was present and who was affected.

The preliminary results of that review were completed on Feb. 25, 2026. After that, RMS continued working to identify the contact information for affected individuals and to prepare resources for notification. Those efforts were completed on March 2, 2026.

On March 16, 2026, RMS began sending notification letters to affected individuals and filing reports with state regulators, including the California and Vermont attorneys general. The breach affected 1,386 Texas residents, 54 Maine residents, 339 Massachusetts residents and 59 New Hampshire residents.

The types of personal information involved in this breach include names, dates of birth, addresses, Social Security numbers, financial account information, and bank routing numbers.

What RMS is doing in response

RMS is offering affected individuals free credit monitoring, credit report and credit score services through Cyberscout, a TransUnion company. The monitoring period is 12 months, according to the notices filed with state regulators. Individuals must enroll within 90 days of receiving the notification letter.

The credit monitoring services include several features. Enrolled individuals will receive same-day alerts when changes occur on their credit file.

RMS has also set up a dedicated assistance line through Cyberscout that is available Monday through Friday from 7 a.m. to 7 p.m. Central Time. The phone number for this line was included in individual notification letters sent to affected consumers.

Steps to take if your information was exposed

Place a credit freeze. A credit freeze makes it much harder for someone to open new accounts in another person's name. Under federal law, placing or lifting a credit freeze is free. Contact all three major credit bureaus to place a freeze:

• TransUnion: 1-800-680-7289 or www.transunion.com
• Experian: 1-888-397-3742 or www.experian.com
• Equifax: 1-888-298-0045 or www.equifax.com

Set up a fraud alert. As an alternative or addition to a credit freeze, individuals can place a free fraud alert on their credit file. An initial fraud alert lasts one year and requires businesses to verify identity before extending new credit.

Monitor bank and financial accounts closely. Because bank account numbers and routing numbers were exposed, affected individuals should review their bank and credit card statements carefully for any unauthorized transactions.

Request free credit reports. Under federal law, everyone is entitled to one free credit report per year from each of the three major credit bureaus. Individuals can order these reports at AnnualCreditReport.com or by calling 1-877-322-8228. They should review the reports for any accounts they did not open or credit inquiries they did not authorize.

Consider an IRS Identity Protection PIN. Because Social Security numbers were exposed in this breach, affected individuals may be at risk for tax-related identity theft. The IRS offers an Identity Protection PIN that prevents someone else from filing a tax return using a stolen Social Security number. Individuals can request one through the IRS website.

Watch for phishing attempts. After a data breach, scammers sometimes send emails, texts or phone calls pretending to be from the breached company or from banks. These messages may reference the RMS breach by name to appear legitimate. Individuals should be cautious about clicking links or providing personal information in response to unsolicited communications.

File a report if fraud occurs. Anyone who experiences identity theft or fraud should file a report with local law enforcement. They can also file a complaint with the Federal Trade Commission at www.identitytheft.gov or by calling 1-877-438-4338. Instances of suspected identity theft should also be reported to the relevant state attorney general.

Enroll in the offered monitoring services. Affected individuals who received a notification letter from RMS should strongly consider enrolling in the free credit monitoring and identity theft insurance offered through Cyberscout.