Breaches Are a Problem, Even When Your Credit Card Number Isn’t Stolen
Anyone who has ordered food through Panera Bread’s website could have had their personal details stolen by cybercriminals, according to security expert Brian Krebs. Information obtained may include names, email addresses, mailing addresses, birthdays, and the last four digits of credit card numbers.
While the company claims the breach affected fewer than 10,000 customers, Krebs reports more than seven million customers could have been affected.
The affected database was exposed for eight months. Reuters reports Panera did not fix the problem, even though they were made aware of the leak in August.
Since full payment card details were not breached, consumers may wonder what thieves could do with data, such as your email address or birthday.
First, it is important to know that hackers bundle your stolen information with that of other victims, and sell this “package” on the dark web. Then, cybercriminals use the information for a variety of reasons. For example, if a criminal has your email address and birthday, they may send a spoof email that appears to be from Panera, asking you to click on a link or download a file for a “birthday freebie.”
If you follow the link, the fake website will require you to enter personal information (such as passwords), which the criminal can then steal and attempt to use with your other accounts. If you download any software, it will install malware on your computer, which can then be used to steal more information.
How can consumers be protected from these types of scams? Carefully examine the address of any email that appears to come from a company with whom you do business. An email from Panera will end with @PaneraBread.com or some similar identifier. A phishing email will contain misspellings or may even have something unrelated after the @ symbol.
Also, ignore the email and log directly into your account via the company’s website. If the email claims you have won some sort of free gift, the information will be linked to your account, so there is no reason to click onto a link in an email.