Skip to Content
Security & privacy

If you shopped at these 16 stores in the last year, your data might have been stolen

When was the last time you heard about a store or restaurant that was hacked, thereby compromising customer data? It probably wasn’t all that long ago.

The problem is hackers are getting more sophisticated with their methods, while at the same time companies seem to be slacking in their security.

There are so many ways for hackers to get in, which they can do through even the slightest of openings.

Unfortunately, there is no way to know who will be the next to have a data breach. But as long as information is still put online and in computer systems, hackers will set their sights on the treasure troves of information.

These companies had problems already

Since January 2017, at least 16 notable retailers were hacked, with customer information likely being taken from each one. The levels of the data stolen and the ramifications vary, but if you happened to shop or dine at any of them, then you had some bad luck.

Which companies were in the news for the wrong reasons? Here’s a look.

Cheddar’s Scratch Kitchen

Darden Restaurants, the parent company of Cheddar’s Scratch Kitchen, announced in August they were victims of a cyberattack. The attack occurred between Nov. 3, 2017, and Jan. 2, 2018, and it may have led to credit card information being stolen.

In all, Darden estimates that 567,000 card numbers could have been affected. States caught up in it include Alabama, Arizona, Arkansas, Delaware, Florida, Illinois, Indiana, Iowa, Kansas, Louisiana, Maryland, Michigan, Missouri, Nebraska, New Mexico, North Carolina, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia and Wisconsin.


Photo by © Bragearonsen |

In this case, it is not entirely clear that a breach actually occurred. Still, Adidas took the threat seriously and let people know that customers who purchased products on their U.S. site may have had their data compromised.

It all stemmed from a third party claiming to have acquired data that was associated with certain customers in late June. There was nothing that said the threat was real, but Adidas took an abundance of caution while looking into it.

According to the apparel company, if data were taken it would have included usernames as well as encrypted passwords. They pointed out there was no reason to believe credit card or fitness information was caught up in the breach.

For more about this, tap or click here.

Sears, Kmart and Delta

Word of this breach came in early April, with all three companies being involved because they use the same third-party partner, [24]7. The incident impacted online purchases made between September 27 and October 12, 2017.

For Sears, it involved credit card numbers, CVV numbers, expiration dates, names and addresses of roughly 100,000 customers.

With Delta, it was not clear what information was accessed and compromised, though they said details related to passports, government identification, security and frequent flier information was not impacted.

Kmart, which is owned by Sears, was impacted in the same way, though it came on the heels of another breach that happened in summer 2017.

For more, tap or click here.


In April 2017, word came out of a massive credit card breach that impacted the video game retailer. KrebsOnSecurity notified the chain that it believed payment card data from cards used on their website was being offered for sale elsewhere, which GameStop proceeded to look into.

Shoppers who made purchases on the site from September 2016 to the first week of February 2017 may have been impacted, though the breach did not impact their brick-and-mortar stores.

Taken as part of the hack were customer credit card numbers, expiration dates, names, addresses and the three-digit security codes on the back of the cards.

For more on this story, tap or click here.


In February 2017 it was discovered that hundreds of Arby’s restaurant locations were infected with malware. The result of the malware was at least 355,000 customers’ credit card and debit card information being stolen.

The bad software was installed in the chain’s payment card system inside corporate store locations. Franchised locations were not impacted.

For more on this story, tap or click here.


Photo by © Jonathan Weiss |

The most recent company to make headlines, Macy’s reported that between the end of April and middle of June, a third party was using actual usernames and passwords to gain access to accounts.

The retailer noted that the unauthorized parties were able to get a hold of customer names, addresses, phone numbers, email addresses, birth dates and credit or debit card numbers — along with their expiration dates.

Macy’s did not reveal how many accounts were impacted. For more about this hack, tap or click here.

Best Buy

It turns out Best Buy was also part of the [24]7 breach. It told customers of the problem on April 5, but noted that just a small percentage of their overall online customer base was affected.

However, they said the breach might have jeopardized payment information.

Saks Fifth Avenue, Lord & Taylor

We found out in April that the popular retailer, along with Lord & Taylor locations, were impacted by a data breach. Hudson’s Bay Company, which owns both chains, said more than 5 million of its shoppers had their critical data stolen by hackers. The time period at issue was May 2017 until April 2018.

What was stolen? The theft included payment card details, so if you shopped at either one of the retailer’s locations during those months, there’s a pretty good chance your info was stolen.

If only it ended there. Making things worse, many of the stolen records ended up on the Dark Web.

For more on this story, tap or click here.


We learned back in September 2017 that people who stopped by the fast-food chain may have had their credit card numbers stolen. With about 3,600 stores across 45 states, the problem was definitely widespread.

KrebsOnSecurity discovered there were about 5 million stolen credit card numbers for sale on the Dark Web, with all of them having links to Sonic. Made aware of the problem, Sonic said they were working to understand the nature and scope of the issue.

For more on this story, tap or click here.

Under Armour

Fitness apps have become exceptionally popular, for both people trying to get in shape and those who are seeking information. One of the most used apps, MyFitnessPal, became a hacking victim in February 2018.

Word came out about it in late March, when it was revealed that a major data breach that affected more than 150 million users went down. Stolen data included usernames, email addresses and passwords that were encrypted with the hashing function dubbed bcrypt.

UnderArmour said Social Security numbers, drivers licenses and credit/debit card information was not impacted, though they hired a security firm to assist in an investigation into what actually happened.

For more on this story, tap or click here.

Panera Bread

© Jonathan Weiss |

In early April, we learned of a hack that involved Panera Bread, one in which roughly 37 million customers may have had their information leaked. Included in the leak were names, addresses and partial credit card numbers.

Less of a hack than a security flaw in their online systems, Panera Bread took the part of the site that was problematic offline.

Perhaps worst of all with this one is that Panera Bread was aware of the problem for about eight months before actually doing anything about it! Panera maintained that there was no evidence of cards or other really important information being accessed.

For more on this story, tap or click here.

Forever 21

The clothing retailer had some things to fix after an issue that affected people who shopped at the stores from March through October back in 2017. Forever 21 let its customers know in November that some of their information may have been stolen.

It happened because of a flaw in the store’s cashier terminals, one that may have accidentally exposed things like credit card numbers, expiration dates and internal verification codes to hackers.

Whole Foods

Whole Foods announced last August it had received information about unauthorized access of payment card information. In reality, there was a flaw in the point-of-sale system used by the grocery chain’s taprooms and table-service restaurants.

It did not impact the system the grocery store uses for everything else.

What you need to do after a data breach

  • Keep an eye on your bank accounts – You should be frequently checking your bank statements, looking for suspicious activity. If you see anything that seems strange, report it immediately.
  • Check HaveIBeenPwned – this site will tell you if your information has been stolen in a previous breach.
  • Change your password – Whenever you hear news of a data breach, it’s a good idea to change your account passwords. Read this article to help you create hack-proof passwords.
  • Close unused accounts – Here’s an easy way to manage all of your online accounts at once.
  • Beware of phishing scams – Scammers will try and piggyback on huge breaches like this. They will create phishing emails, pretending to be the affected company, hoping to get victims to click on malicious links that could lead to more problems. Take our phishing IQ test to see if you can spot a fake email.
  • Manage passwords – Many people use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you’re using the same credentials on multiple sites, change them to make them unique. If you have too many accounts to remember, you could always use a password manager.
  • Check email security settings – Make sure the email account associated with the hacked site has updated security settings.
  • Have strong security software – Protecting your gadgets with strong security software is important. It’s the best defense against digital threats.
cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out