data breaches at Deloitte and moreUnfortunately, cybercrime does not exist in a vacuum, so although the Equifax breach has taken precedence in recent weeks due to its sheer size and impact, it’s important to take note of what else is happening in this arena. Consider that in the first half of 2017 alone, approximately 918 breaches were reported and nearly 2 billion data records were compromised, according to the Breach Level Index 2017 H1 Report just published by cybersecurity company Gemalto. These numbers don’t even count the Equifax breach, and as more breaches continue to happen, these numbers are likely to grow significantly by the time the report is compiled for the second half of 2017.

In fact, just in the past week, three incidents have been disclosed by major accounting firm Deloitte, national fast food chain Sonic Drive-In and grocery giant Whole Foods. Each of these breaches has its own specific victims and risks, so we’re breaking down the important details for all three to ensure that potential victims are aware.

Deloitte breach

What happened: On Sept. 25, The Guardian published a story that Deloitte had acknowledged a breach that potentially compromises all administrative accounts within the firm along with the entire internal email system. This breach is believed to date back to October or November 2016, and exposed information includes usernames, passwords and personal data for some of its top clients. Although Deloitte has said that very few of its clients were compromised, sources close to the situation have indicated otherwise, and there has been no disclosure as to exactly when the initial intrusion occurred or how long the hackers had access.

Who is at risk: One of the “big four” accounting firms in the world, Deloitte is not necessarily a household name for most people, but the clients it serves range from pharmaceutical firms and media enterprises to banks and even government agencies. The most at-risk in this breach are the accounting firm’s clients, as well as Deloitte itself, as this is a huge embarrassment for the company. Considering it provides cybersecurity advice to other companies — and was even named the best cybersecurity consultant in the world in 2012 — it’s alarming that a company like this has the potential to be breached. Especially worrisome is the fact that hacker or hackers had unrestricted access thanks to an administrative account which was protected only by a single password and no two-factor authentication. That type of lax cybersecurity has come into play with far too many big data breaches in recent years and highlights why cybersecurity is even more important now than ever before. These types of breaches show that nobody is too important to be breached.

What is the company doing about it?: Deloitte discovered the hack in March 2017, and immediately engaged a third-party cyber forensics team to investigate alongside government authorities. Though this was a U.S.-based hack, Deloitte has clients all over the world, so more than just the U.S. government will need to be involved. According to the firm, it has implemented a comprehensive security protocol and set off on a thorough internal review. Much of the initial six-month investigation was kept under wraps, with only a select few employees being privy to the details (based on information obtained by The Guardian).

Sonic Drive-In

What happened: Fast food restaurant chain Sonic Drive-In acknowledged a security breach of its payment card systems to Krebs on Security, which broke the story on Sept. 26. Not much is known yet as to how many stores were affected or how the hackers gained access, but cybersecurity researcher Brian Krebs initially caught wind of the story when multiple financial institutions contacted him about a pattern of fraudulent transactions on payment cards which were all used at Sonic Drive-In restaurants recently. A batch of 5 million payment cards put up for sale on a black market website called Joker’s Stash was later corroborated to contain credit card information stolen from Sonic Drive-In systems.

Who is at risk: As of yet, there isn’t any information as to how many of the approximately 3,600 locations across 45 states were impacted. However, if this breach follows the typical format for other breaches like it, affected customers’ names, payment card numbers, verification numbers and expiration dates are likely at risk for exposure. It’s interesting to note that customers at Sonic Drive-In typically swipe their payment cards at outdoor terminals instead of paying inside or handing over a card to an employee at a window. Similar to outdoor ATMs, this could make them more attractive targets for skimming devices, since a fraudster wouldn’t have to place said devices under the watchful eyes of employees inside a location.

What is the company doing about it?: As of now, Sonic Drive-In has acknowledged the breach following notification by its credit card processor and is working on an investigation with the help of law enforcement and a cybersecurity team. It is not clear whether all 5 million records for sale on the black market website Krebs discovered are from Sonic, or if there are other stolen records from different companies included. Hopefully, Sonic Drive-In will keep customers informed as it learns more through its investigation so they can take action to protect themselves.

Whole Foods

What happened: On Sept. 29, grocery store chain Whole Foods announced that payment card information was stolen from the point-of-sale (POS) system used in approximately 117 of the sit-down restaurants, bars and taprooms in its 400+ stores in the U.S.

Who is at risk: Only people who used a payment card at an affected in-store location were impacted. There is no indication as to what information was exposed yet, but customers should note that the stores themselves use a separate POS system to process grocery purchases from the one which was compromised. Additionally, no Amazon.com transactions were involved.

What is the company doing about it?: Whole Foods has engaged law enforcement and cybersecurity professionals to investigate thoroughly. Since the investigation has only just been launched, time will tell as to whether more stores will be included; for the time being, concerned customers can view which specific locations were breached on the Whole Foods website to determine if they should be worried. This seems to be part of a growing number of similar payment card breaches at fast food-style locations like Wendy’s and Chipotle in the past year.

Data breaches seem to be never-ending, but the good news is that you can take steps to protect yourself. These include monitoring your bank and credit card statements, watching for unusual activity on your credit reports, practicing strong cybersecurity habits with your computers and mobile devices and much more. Follow our identity theft protection blog to keep up on the latest news and tips.