Getty Images
Data breaches are hard to keep track of these days, and even more difficult to respond to for consumers.
Panera Bread Co. announced Monday that it had patched a vulnerability that had been leaking millions of customer records onto the internet for eight months. Security researcher Brian Krebs said the data may have affected more than seven million accounts, exposing names, dates of birth, email addresses, and the last four digits of credit card numbers.
“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera chief information officer John Meister said in a statement, adding that “fewer than 10,000 consumers have been potentially affected by this issue.”
The hack comes after Under Armour UAA, +4.47% disclosed a breach of MyFitnessPal data, which affected about 150 million user accounts including user names, email addresses, and protected passwords, and a breach at Orbitz.com EXPE, +0.17% that affected more than 880,000 customers. On Sunday, a breach of Saks Fifth Avenue, Saks off Fifth, and Lord & Taylor stores was announced. It affected more than five million users.
With a different incident every week, it’s hard for consumers to determine what to do about hacks and which incidents are actually dangerous. Zohar Steinberg, chief executive officer of payment security company Token, said sometimes consumers won’t know for years if their data has been compromised. Databases of stolen consumer information used by criminals are updated with each breach and it can take years for criminals to build up enough information to compromise a consumer’s accounts.
“Any piece of your personal information, when in malicious hands, can be considered serious,” he said. “Often times, once hackers get a hold of certain pieces of personal information, they can use various techniques to get more, so even something as an email can seem harmless, but can eventually lead to other information being stolen from that first step.”
Meanwhile, here are some steps to take if you are a customer of a breached company.
Know the difference between a hack and a breach
The terms data breach and hack are often used interchangeably, but there are some differences: a breach is when data is unintentionally left unsecured and vulnerable to hacking, as a result of malicious activity or from negligence. A hack specifically refers to the activities of cyber attackers who purposely compromise IT infrastructure to steal information or to hold systems ransom. If your data was part of a breach, it’s possible it was just left exposed online and was not stolen. Likewise, not all hacks result in breaches.
When a breach is really bad
Any time consumer data is compromised is cause for concern, but if it’s data that cannot be changed easily, consumers should be particularly wary, said Guy Podjarny, chief executive officer and co-founder of security company Snyk. This includes date of birth, Social Security number, and credit history — like in the case of Equifax EFX, +2.98% and its breach of Social Security numbers.
“A stolen credit card can easily be cancelled, even if it caused some damage, but such personal details can continue causing damage for a long while,” he said.
Not all privacy violations are breaches
Recently consumers have been given stark reminders that not all privacy violations are a result of a hack: some are opted into it willingly. Many Facebook FB, +0.46% users were outraged recently to find their data had been sold to a data firm tied to Donald Trump’s election campaign — but users gave out the information in many cases willingly, and such data harvesting is completely allowed under law and under Facebook’s privacy policy.
Similarly, users of gay dating app Grindr were upset to find their HIV status along with other personal information had been shared with third party companies. However, in the fine print of permissions the app requested, users had consented to making that information public when they signed up. Often when an online product is free, as the adage goes, you are the product.
Check if your accounts have been affected
There still aren’t many formal ways to check if your data has been compromised in a breach. Often, the company will alert affected customers, but they aren’t required to. Panera, for example, knew about the breach for eight months before fixing it. (The company did not immediately respond to a request for comment).
Some states, like California, have laws requiring companies to disclose data breaches that affect a certain number of customers, and the Federal Trade Commission has discussed proposing similar regulations.
In the meantime, consumers can check sites like HaveIBeenPwned, a free tool built by security researcher Troy Hunt that logs credentials accessed by these breaches. Consumers can also monitor their credit report to shut down fraudulent activity as quickly as possible. Facebook chief executive Mark Zuckerberg has pledged to alert users impacted by the Cambridge Analytica privacy violation.
Never use the same password for multiple sites and change your passwords frequently
The increasing number of breaches underscores how important it is for consumers to protect their data by using random and difficult-to-guess passwords, Podjarny said.
“I would encourage consumers to ensure they use a different password for every service they use (using a password manager),” he said. “If they do so, they could care very little about a leaked password, as it only compromised that one service’s data, versus other services they may use.”
Experts suggest long strings of nonsensical words (think ‘PhoneCarIceCreamMailbox5839393) rather than memorable words or even strings of unrelated characters. Using a password manager makes keeping these straight easy. Two factor authentication, which requires a second form of identification like a code sent to a phone or email, is another good layer of security, and sites increasingly offer this option to consumers. Website Two Factor Auth keeps track of which websites offer the feature.