Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.
Data breaches are a common occurrence and can readily lead to your identity being stolen. Recently, the hacking group ShinyHunters successfully stole personal information from approximately 5 million customers of Panera Bread, including customer names, email addresses, phone numbers, home addresses, and account details. In the last year, ShinyHunters has also hacked Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, Dior, Louis Vuitton, Tiffany, and Qantas. In the case of Panera Bread, the hackers obtained access to a Panera Bread database through social engineering, where they posed as an IT worker and lured Panera Bread employees into providing access credentials.
Companies must do a better job of protecting themselves from not just technologically sophisticated cyberattacks, but also less sophisticated, but equally effective, social engineering attacks such as the Panera Bread data breach.
Two lawsuits have been filed seeking class action status regarding the data breach. They allege that Panera once again failed to protect sensitive customer data (Panera suffered a similar data breach in March of 2024). The lawsuits also allege that Panera still hasn’t notified affected customers about the breach, although they have acknowledged it.
If a settlement is approved by the court regarding the class actions, you will receive a notice from the court with instructions regarding how to claim benefits. While generally the actual cash payouts from class actions like this are quite small, often the settlements will offer free credit monitoring and identity theft insurance coverage. In addition, if you do have out-of-pocket costs related to the data breach, settlements generally will cover those costs. Additionally, while the payouts may not seem worthwhile, data breach class actions serve a public purpose in inducing companies to enhance their security.
If you don’t yet know if you were affected by the Panera data breach, you can find out if your email address was among those compromised by going to the free data breach notification service haveibeenpwned. Have I Been Pwned identified 760 MB of documents from the data breach on ShinyHunters’ dark web site, where it posted the documents after Panera Bread failed to pay a ransomware extortion.
If you have a Panera account, change your password and add dual factor authentication to your account for extra security.
While personal information of the kind compromised in this particular data breach does not pose the immediate threat of a compromised Social Security number, it does enable a cybercriminal to create more specifically targeted spear phishing attacks that appear legitimate.
You should also freeze your credit. Freezing your credit is something everyone should do because it protects you from someone using your identity to obtain loans or make large purchases even if they have your Social Security number. It’s free and only takes a few minutes. Here are links to each of the credit agencies with instructions on how to get a credit freeze:
You should also monitor your credit reports regularly for indications of identity theft. The three major credit reporting agencies now provide free weekly access to your credit reports. Go to AnnualCreditReport.com to get free credit reports from all of the agencies. Note this is the only place to get truly free reports. Some scammers have websites that appear to offer “free” credit reports, but if you read the fine print, you often may find that you have signed up for unnecessary services.
With data breaches so common, it is also important to limit the amount of personal information you provide to any company to no more than what is absolutely necessary. Many companies ask for your Social Security number although they have no real need for that information. Don’t provide it if possible.
Be wary of anyone who calls asking for personal information to help you with a data breach, as that is a favorite tactic of hackers. Also, as always, never click on a link or download an attachment to an email or text message unless you have absolutely confirmed that it is legitimate, and don’t provide personal information in response to an email, text message, or phone call unless you know the communication is legitimate.
Become a Saturday Evening Post member and enjoy unlimited access. Subscribe now
Comments
As if there weren’t already enough reasons to steer clear of Panera Bread as it is.