Do you like shopping at relatively high-end retailers? How about enjoying reasonably priced soup and sandwich combinations? If so, chances are you need to run a credit report ASAP. Saks Fifth Avenue, Lord & Taylor, and Panera Bread now find themselves on the rapidly-growing list of victims of data breaches in 2018.
What makes matters worse? Without outside parties holding these companies accountable, the breaches may have remained unnoticed.
Saks Fifth Avenue, Lord & Taylor customers have payment details stolen
Hudson Bay Co., a Canadian retail group whose origins date back to the fur trade, announced Sunday that U.S. customers may have had their credit and debit card information compromised at two of their most popular properties — Saks Fifth Avenue and Lord & Taylor.
Instead of delving into specifics of the matter, the retail company simply stated that they were taking steps to contain the situation, and that:
“Once [Hudson Bay Co. has] more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”
The reason the public — and presumably Hudson Bay Co. — discovered the breach is due to Gemini Advisory. The New York-based cybersecurity firm posted about the matter on their blog. According to Dmitry Chorine, their chief technology officer, it was well-known hacker group JokerStash that hit Hudson Bay Co.
The criminal organization revealed they have access to more than 5 million credit card numbers and have already released around 125,000. Of those revealed, more than 75 percent came from Hudson Bay Co. properties.
Panera Bread in hot water
Panera Bread also finds itself in a sea of controversy and should be considered a corporate cautionary tale in handling data breaches. But to really understand why Panera’s handling of events is an issue, we need to look at a timeline of events.
During the summer of 2017, security researcher Dylan Houlihan discovered a major security problem. With little effort, it was possible to view sensitive customer data on the Panera website, which included customers’ names, addresses, and even portions of their credit and debit card numbers. He immediately alerted the company to his findings and offered to provide Panera with proof of the security flaw.
The company’s lead security executive, Mike Gustavison, initially rejected Houlihan’s claims, believing them to be a solicitation for work or payment. During an exchange with Houlihan last August, Gustavison expressed his doubt and lack of concern: "I will not be duped, demanded for restitution/bounty or listen to a sales pitch."
Eventually, Gustavison — who worked for Equifax before joining Panera — relented and said they would fix the problem. After eight months, Houlihan — who was among the customers to have their private data revealed — was tired of waiting.
Taking to the internet, Mr. Houlihan shared proof of the breach, as well as his exchanges with Panera. Further, he gave his findings to Brian Krebs of the popular KrebsOnSecurity.com. The combination of these events led Panera to issue a statement to Fox News, where they claim only 10,000 customer records were affected. Both Brian Krebs and David Houlihan believe many more customers were impacted and that the company has done little to fully resolve the situation.
Steps you can take
If you think you may be affected by either breach, it’s important you take action immediately. While it’s unclear how long it will take Hudson Bay Co. and Panera to alert victims, there are steps you can take now.
1. Monitor your credit and debit card balances
This is something you should already do on a routine basis. However, if you feel you may be one of the millions of victims, it’s time to step up your monitoring game.
2. Obtain a copy of your credit report
Each of the large credit monitoring companies provides one free report every 12 months. If you haven’t pulled your free report yet this year, do so now with TransUnion, Equifax, and Experian.
3. Monitor your credit
Although the companies may eventually provide you with credit monitoring services it’s a good idea to sign up for one in the interim. You’ll need a service that proactively monitors your credit scores and that will notify you when suspicious activity occurs. Note that many of these services will not protect you from sophisticated identity crimes, so you will bear the majority of the burden of proactive monitoring.
4.Consider filing a fraud alert or freezing your credit
a. If someone has misused your information, you’ll want to put a fraud alert on your credit report. Fraud alerts make it harder for someone else to open an account in your name, but they are temporary and last just 90 days.
b. Freezing your credit is a more permanent solution, but it costs $10 at each credit bureau (so $30 total to freeze with all three), and you will have to call each company individually. A freeze will prevent anyone, even you, from opening an account in your name. If you want to learn more, check out the FTC’s credit freeze FAQs.
5. Monitor your credit and debit accounts carefully
Because credit and debit card information seems to be part of both these breaches, monitor your accounts carefully and frequently for suspicious or fraudulent purchases.
Looking for more ways to protect yourself in an insecure world? You can download our complimentary ebook, “Phishing for Dollars: How Identity Theft Is Leaving Businesses and Employees on the Hook.” It’s packed with great tips you can use today. And to stay up-to-date on all things related to fraud, identity theft, and hacking, be sure to subscribe to our blog.