If you shopped at these 16 stores in the last year, your data might have been stolen

Cheddar's Scratch Kitchen, owned by Darden Restaurants, is the latest retailer to disclose it was the target of a data breach.

caption
Cheddar’s Scratch Kitchen, owned by Darden Restaurants, is the latest retailer to disclose it was the target of a data breach.
source
Facebook/Cheddar’s Scratch Kitchen

  • Data breaches are on the rise. Since January 2017, at least 16 retailers were hacked and likely had information stolen from them.
  • A report from cybersecurity firm Shape Security showed that almost 90% of the login attempts made on online retailers’ websites are hackers using stolen data.
  • Many of these breaches were caused by flaws in payment systems that were taken advantage of by hackers.

At least 16 separate security breaches occurred at retailers from January 2017 until now. Many of them were caused by flaws in payment systems, either online or in stores.

Data breaches are on the rise for both retailers and other businesses.

A recent report published by cybersecurity firm Shape Security showed that 80% to 90% of the people that log in to a retailer’s e-commerce site are hackers using stolen data. This is the highest percentage of any sector.

These data breaches are a real danger for both companies and customers and can affect the trust shoppers have in brands.

According to a study by KPMG, 19% of consumers would completely stop shopping at a retailer after a breach, and 33% would take a break from shopping there for an extended period.

Here are 16 retailers that have been affected by data breaches since January 2017:


Cheddar’s Scratch Kitchen

source
Facebook/CheddarsScratchKitchen

Darden Restaurants announced on Wednesday it was notified by government officials on August 16 that it had been the victim of a cyberattack.

Customers who visited Darden-owned Cheddar’s Scratch Kitchen between November 3, 2017 and January 2, 2018 may have had their credit-card information stolen. Darden estimates that 567,000 payment card numbers could have been compromised.

Customers affected would have visited a Cheddar’s location in any one of these states: Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, and Wisconsin.


Macy’s

source
Macy’s

Macy’s confirmed that some customers shopping online at Macys.com and Bloomingdales.com between April 26 and June 12 could have had their personal information and credit card details exposed to a third party.

Macy’s did not confirm exactly how many people were impacted. However, a spokesperson for the company said the breach was limited to a small group of people.

Macy’s said in a statement: “We have investigated the matter thoroughly, addressed the cause and, as a precaution, have implemented additional security measures. Macy’s, Inc. will provide consumer protection services at no cost to those customers. We have contacted potentially impacted customers with more information about these services.”


Adidas

source
Adidas

Adidas announced in June that an “unauthorized party” said it had gained access to customer data on Adidas’ US website. Currently, the company believes only customers who shopped on and purchased items from the US version of Adidas.com may have been affected by the breach.

The data that is potentially at risk includes customer contact information, like email addresses and physical addresses, as well as login information, like usernames and passwords. The passwords were stored with an encryption, however, which would need to be unencrypted before they could be used.

Adidas did not say exactly how many customers could have been affected by the breach, but an Adidas spokeswoman confirmed it is likely “a few million.”


Sears

source
Getty Images

Sears alerted customers on April 4 of a “security incident” with an online support partner [24]7.ai that may have resulted in up to 100,000 people having their credit-card information stolen.

The incident affected shoppers who bought items online from September 27, 2017 to October 12, 2017


Kmart

source
Business Insider/Hayley Peterson

Kmart, which is owned by Sears Holdings, was also affected by the breach, the company reported on April 4.

Kmart had been affected by a separate breach last June.


Delta

Delta used the same online support service as Sears and was also affected by the reported breach.

The airline said customer payment information may have been vulnerable but did not estimate how many of its customers were affected.


Best Buy

Best Buy was also affected by the breach of [24]7.ai, it told customers on April 5.

The retailer said only “a small fraction of our overall online customer population” was affected in the breach, which might have jeopardized payment information.


Saks Fifth Avenue

source
Darren Ornitz/Reuters

Hudson’s Bay, the parent company of Saks Fifth Ave, confirmed in April that a data breach compromised payment systems and therefore customers’ credit and debit cards.

Estimates of the amount of affected customers have not yet been released, but could number in the millions. Online customers were not affected.


Lord & Taylor

source
Mark Matousek/Business Insider

Hudson’s Bay also owns Lord & Taylor, and those stores were also affected by the breach.


Under Armour’s MyFitnessPal app

source
Facebook/Under Armour

While Under Armour’s store systems or online store weren’t affected, the retailer confirmed in March that data from its MyFitnessPal app was accessed by an “unauthorized party.”

Payment information was not released, but Under Armour says user names, emails, and encrypted passwords were affected. More than 150 million people’s information was likely compromised.


Panera Bread

source
Facebook/Panera Bread

Panera Bread confirmed on April 2 that it was notified of a data leak on its website.

At the time, it said personal information, including names, addresses, and partial credit card numbers may have leaked, though the company says the investigation is ongoing.


Forever 21

caption
A Forever 21 store in Chicago.
source
Timothy Hiatt/Getty Images

Forever 21 alerted its customers in November that some of their information may have been stolen.

A flaw in the store’s cashier terminals may have inadvertently exposed data like credit card numbers, expiration dates, and internal verification codes to hackers. Customers who shopped in stores from March through October 2017 are vulnerable.


Sonic

source
Sonic

Sonic told Business Insider in September 2017 that it detected “unusual security regarding credit cards being used at Sonic.”

Credit cards from 5 million customers may have been stolen, as most of the chains more than 3,600 locations use the same payment system.


Whole Foods

source
Getty/Justin Sullivan

Whole Foods announced last August that it “recently received information regarding unauthorized access of payment card information.”

A flaw in the point-of-sale system used by the chain’s taprooms and table-service restaurants was affected, but not the system the grocery store itself uses.


Gamestop

source
Chris Snyder/Business Insider

Gamestop confirmed a data breach in April 2017. Customers who shopped online for a six-month period were vulnerable, from August 10, 2016 to February 9, 2017.

Names, addresses, and credit card information were all taken in a breach of the website’s payments processor.


Arby’s

source
Arby’s

Arby’s confirmed in February 2017 a data breach affected 355,000 credit and debit cards used at its stores.

Malware in the chain’s cashier systems between October 25, 2016 and January 19, 2017 allowed the unauthorized access.