If you’re a person in the world in 2018, there are probably two words you remain in constant fear of: data breach.
In recent history, several businesses used regularly by modern consumers have been targets of hacks, resulting in compromised data for millions of people.
Perhaps one of the most notable cases was the 2017’s Equifax hack, infamous for a multitude of reasons including: the scale of the hack (143 million customers with compromised data); the sensitive nature of the information lost (social security numbers, license numbers, and more); and the way the company bungled the recovery (in the aftermath of the hack, they accidentally directed concerned customers to a phishing scam posing as security site).
But it’s not just Equifax. Fast food chains like Wendy’s and Chipotle, health insurers like Anthem and Premera, and retailers such as Under Armour and Saks Fifth Ave have all been hacked.
For anyone trying to keep all of the breaches in order, here’s a list of all of the retailers that have been hacked, starting with 2013’s Target hack.
In 2013, Target fell victim to a massive data breach, where hackers stole credit card data from up to 40 million customers. The hack took place between Nov. 27 and Dec. 15 that year — right after Black Friday— due to a breach in Target’s point-of-sale systems, compromising customer data from Target stores all over the country.
Target confirmed the hack in a memo and told Mashable in December 2013, “We’re asking everyone who shopped at a Target location since Black Friday to monitor their credit card accounts and contact their banking establishments to see if there is any suspicious activity.”
Later it was revealed that hackers were able to gain access to Target’s systems by hacking an outsider contractor that was working with Target. The breach cost Target a reported $148 million, according to The New York Times.
Hate to break it to you, but if you’re an eBay user, you may have been affected by a hack. In May 2014, the ecommerce platform discovered that it had been victim to a hack which compromised a database holding information for 145 million customers with active or inactive accounts. In the breach, hackers were able to see users’ usernames, email addresses, physical addresses, phone numbers, dates of birth, and account passwords. In response, eBay urged users to change their passwords.
Fortunately for anyone worried about repercussions from the hack, an eBay spokesperson told Mashable that “there is no evidence that any financial information was accessed or compromised.” Also, Pay Pal and a host of other sites that use eBay’s marketplace to operate including StubHub, eBay Classifieds, Tradera, Gmarket, GumTree and GittiGidiyor were also safe from the hack.
Target isn’t the only mega-corporation to have been hacked. In September 2014, just months after Target was hacked, Home Depot had to deal with a breach of its own.
The Home Depot hack was first reported by cyber security expert Brian Krebs on Sept. 2, who noted that a batch of credit card information had gone on sale on an underground cybercrime site, and that multiple banks were seeing evidence that Home Depot may have been the source of the hack. At the time, Home Depot only said that it was investigating unusual activity.
A week later, on Sept. 7, the home improvement store confirmed the hack, but the brand didn’t email customers about the data breach until Sept. 21, when Home Depot once again confirmed the hack and offered customers 12 months of fraud detection services.
In February 2015, Anthem, the second largest health insurer in America, was breached when hackers broke into the company’s computer system. The hack compromised the personal data — including names, addresses, social security numbers, and more — of up to 80 million people, including Anthem’s CEO Joseph R. Swedish.
It is believed that hackers were able to breach Anthem after the stealing the login information of an Anthem employee.
The company’s CEO stated that the hack was the result of a sophisticated cyberattack. But according to The New York Times, experts say that Anthem did not complete vital cybersecurity steps like encrypting personal data which could have helped protect customer info.
Wendy’s is a brand known for getting into beefs (pun intended, I’m sorry) with other restaurants, but in 2015, the fast food chain had some less playful news to share: Wendy’s had been hacked.
Wendy’s first broke the news at the end of January that year, when the brand confirmed that it was looking into suspicious activity. Later, in May, the brand revealed that it had been targeted by malware that collected customer credit card information but estimated that fewer than 300 restaurants were affected. By July, however, that number dramatically increased when Wendy’s said that actually over 1,000 restaurants were targeted.
In March 2015, health insurance company Premera Blue Cross announced that sensitive user info, including medical, financial, and personal information had been compromised when hackers broke into the company’s computer system. The cyberattack reportedly took place between May 2014 to January 2015, exposing data of 11 million customers.
The company did not reveal how hackers were able to breach Premera’s systems, but as CNN notes, once they were in, the attackers were able access customer data going as far back as 2002.
If you love moderately priced burritos and questionable queso, we have some bad news for you: Chipotle was hacked in 2017.
The company first reported the hack in April 2017 during a investor call, according to Fortune, where Chipotle’s CFO told analysts “We want to make our customers and investors aware we recently detected unauthorized activity on a network that supports payment processing for purchases made in our restaurants.”
Then in May 2017 Chipotle revealed more about the hack — malware reportedly infected Chipotle’s point of sale system, allowing hackers to steal credit card data from “most, but not all” restaurants.
If there is one hacking scandal that’ll go down in the history books, it’s the Equifax data breach. In September 2017, the credit reporting agency revealed that it had been victim to a hack, resulting in data from approximately 143 million people being stolen. According to a statement posted by Equifax, the hack lasted from May to July in 2017, allowing hackers to steal sensitive personal information from customers, including social security numbers and drivers license numbers.
Following the hack, former Equifax CEO Richard Smith, who stepped down soon after the data breach, apologized to customers, saying, “This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do.”
But that was only the first part of the scandal.
Briefly after the hack, Equifax accidentally directed customers to a fake security website that was actually a phishing scam. Also, the company went through yet another scare when security researcher Randy Abrams revealed that some pages on the company’s website redirected to another website which offered a fake Flash update which contained malware. Equifax looked into the incident and found that its systems were not compromised because of the issue.
Though the hack took place in 2017, the Equifax scandal found a way to come back to 2018 when *plot twist* the company revealed in March that an additional 2.4 million people were hacked.
In September, Whole Foods announced that it was investigating information the company received about unauthorized access of payment card information used at Whole Foods properties.
It’s still unclear what information was stolen, if any, and to what scale, but Whole Foods noted that the breach didn’t affect all of Whole Foods, just “certain venues such as taprooms and full table-service restaurants located within some stores.”
“These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected,” Whole Foods wrote in a statement about the hack.
In September 2017, Krebs reported that fast-food company Sonic had been hacked, and the credit card information of 5 million customers were put on sale on cybercrime website Joker’s Stash.
The hack revelation involved a little bit of detective work on Krebs part. The cybersecurity expert first began keeping an eye out for info about a potential hack after hearing from “sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs wrote.
He then asked those sources to look into a batch of credit card info that had been posted to Joker’s Stash and “sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker’s discovered they all had been recently used at Sonic locations.”
Sonic then confirmed the breach, telling Mashable via email that the company it uses to process credit cards had seen “unusual activity regarding credit cards used at Sonic.” The fast-food chain also posted a memo about the breach to its site, writing, “Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations.”
In addition to working with law enforcement to investigate the hack, Sonic also offered customers two years of free fraud and identity theft detection.
In March 2018, Under Armour notified customers that its food and nutrition app “MyFitnessPal” had suffered a data breach and that 150 million users’ data was compromised. The company explained the breach in a press release, stating, “On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018.”
Included in the stolen information were usernames, email addresses, and hashed (or encrypted) passwords. That last bit — hashed passwords — may be one small consolation from the breach. Of the hack, Mashable tech reporter Jack Morse noted, “The fact that the passwords were hashed is good news to those affected, as it suggests that their accounts may not have been immediately compromised following the breach.”
But users should still change their passwords just to be safe. “Still, anyone who has used the MyFitnessPal should absolutely change their password — a recommendation that Under Armour is making as well,” Morse advised.
Saks Fifth Avenue / Saks Off Fifth / Lord & Taylor
On the first day of April, security firm Gemini Advisory revealed that cybercrime syndicate Fin7 hacked Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor, stealing credit and debit card data from approximately 5 million customers between May 2017 – April 2018.
“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised. The majority of stolen credit cards were obtained from New York and New Jersey locations,” Gemini Advisory wrote.
Saks later confirmed the breach, saying “Once we have more clarity around the facts, we will notify our customers quickly and will offer those impacted free identity protection services, including credit and web monitoring.”
Sometimes customer data gets exposed not because of a hack but because of some terrible, horrible, no good, very bad decision making on a businesses part. And that’s definitely the case with Panera Bread’s 2018 data breach.
In April, Krebs reported that PaneraBread.com listed, in plain text, customer data including names, email addresses.
To make matters worse, Panera Bread reportedly knew of the leak for eight months before the leak was revealed. In an essay published on Medium titled “No, Panera Bread doesn’t take security seriously,” cybersecurity expert Dylan Houllihan says he alerted Panera Bread about the flaw but the company “sat on the vulnerability and, as far as I can tell, did nothing.”
Not cool, Panera. Not cool.