Panda Express is the latest to be hacked. What to do when your personal data are exposed

Panda Express chain restaurant in Middletown, DE, on July 26, 2019. (Photo by JIM WATSON / AFP) (Photo credit should read JIM WATSON/AFP via Getty Images)
Panda Express chain restaurant in 2019. (Jim Watson/AFP via Getty Images)

For the record:
10:10 a.m. May 2, 2024: An earlier version of the article stated that customers were affected by the Panda Restaurant Group’s data breach. The breach exposed current and former Panda employees’ data.

Another day, another report about a company exposing its customers' personal information to hackers or other unintended audiences.

On Wednesday, Panda Restaurant Group (parent company of Panda Express, Panda Inn and Hibachi-San) revealed that hackers had obtained the personal data of an unknown number of employees. In previous weeks, Kaiser Permanente and AT&T announced unauthorized data releases affecting millions of their customers.

The specifics surrounding what information was exposed in such events varies, but even the most mundane information that companies collect from us is of use to hackers, scammers and data brokers.

Panda said the breach was in early March and affected only its corporate systems, not its in-store operations. The data exposed consisted of first and last names and either driver's license numbers or non-driver identification cards of current and former employees.

Kaiser notified 13.4 million of its members that some data about searches for medical information that patients performed on Kaiser's website may have been inadvertently transmitted to Google and other search engines and media platforms. Other pieces of information that could have been compromised are IP addresses, account usernames, and data on how members used the Kaiser website.

Read more: Kaiser Permanente notifies 13.4 million members of data breach. City of Hope also reported breach

"These kernels of information are getting fed into databases that know so much about you," said Teresa Murray, consumer watchdog director of the U.S. Public Interest Research Group.

The pieces of collected information are put together to compile a profile of an individual, which is then sold, Murray said.

A data breach can happen instantly, but the effects of having your information stolen can take time to materialize. Murray said it could take weeks, months or even a year before your stolen credit card information is used for fraudulent purchases, for example.

AT&T notified 7.6 million current customers and 65.4 million former customers that their data from 2019 or earlier was exposed on the dark web in mid-March. The exposed information does not contain personal financial information or call history, AT&T said.

According to Murray, large-scale online data breaches have been going on for more than a decade, starting around 2013, when credit and debit card information was compromised at Target and Home Depot.

What's drastically changed is how much personal information about internet users is being taken from company servers and aggregated. Hackers are sweeping up a wide variety of data points about people, including their email address, bank account information, Social Security number and location.

This is happening because the average computer, smartphone and smart device user is putting too much information online, making it vulnerable to hackers, said Iskander Sanchez-Rola, director of privacy innovation for cybersafety network Gen.

Read more: Is your smart device safe from hackers? New FCC program will label cybersecure technology

Retailers and service providers don't help the situation by asking for so much personal information when a customer is creating an online account. If a company's server is breached, all of that information is vulnerable.

When you're signing up for an account, experts say, provide only the required information. If a field is optional, leave it blank.

But what can you do if you've been affected by a data breach? The first thing, Iskander Sanchez-Rola said, is to remain calm.

It can be scary and overwhelming to hear your information is in the dark web, but Sanchez-Rola says you can take solace in knowing that it's extremely likely that you or someone close to you has been exposed in a data breach before. In other words, you've not been newly victimized — you probably were already a victim.

Security experts say there is a series of other steps to take after getting notified of a data breach to prevent hackers and scammers from using the information for fraudulent activity. Here are their tips.

Make sure the breach notification is legit

When you sign up with a service provider, you typically tell the company how to alert you of fraudulent activity or data breaches. The message can reach you by phone, email, text or a mailed document.

The problem is that scammers can easily pose as a company and try to reach you by any of these modes of communication.

A fake letter or email can use the same logo as a company you've done business with. A fake notice can also insert information that's familiar to you because hackers have nuggets of your personal information, Sanchez-Rola said.

The best way to verify whether a notice is legitimate, experts say, is to contact the company that purportedly sent it. If you're getting an email or text saying your credit card or banking information has been stolen, grab your credit or debit card and call the customer service line on the back, then ask to speak to the fraud department.

If it's a notice from a retailer or service provider, don't click on a link in the note or call a phone number it providers. Navigate your way independently to the company's website, find the contact information for customer service and reach out directly.

When you search online, don't just go with the first number that pops up in the Google search results because it could be inaccurate or a scam, Sanchez-Rola said.

Read more: My wallet was stolen at a bar. Then my identity theft nightmare began

Your information has been stolen, what next?

Once you've verified that your information has been exposed — or if you want to protect yourself from future breaches — Murray and Sanchez-Rola suggested taking the following steps:

Update your contact information. If you've moved, changed jobs or gotten a new phone number, call your banks, credit card companies, investment firms and other financial institutions you do business with and give them your current contact information. If fraudulent activity is happening you'll want these financial institutions to get ahold of you quickly.

Sign up for bank alerts. Most major banks and credit unions offer text or email alerts for big-ticket purchases or when someone tries to open a new bank or credit account in your name.

Update passwords. Bank, email and other sensitive accounts should have unique passwords. If you use the same password or a variation of one password for all your online accounts, they are all vulnerable.

You should set up a two-factor authentication when it's available to provide an additional layer of security beyond your password. The option lets you verify who you are, typically by text or an authenticator app. Using an authenticator app is a little less convenient, but it's a more secure approach.

Put a freeze on your credit reports. A security freeze prevents new lines of credit from being opened in your name without the use of a personal identification number that is issued when you initiated it.

In order to place a security freeze, you may be required to provide the three major credit bureaus — Equifax, Experian and TransUnion — with information that identifies you, including your full name, Social Security number, date of birth, current and previous addresses, a copy of your state-issued identification card and a recent utility bill, bank statement or telephone bill.

The only downside to a security freeze is that it may delay your ability to obtain credit, a product or service that requires a credit report, such as when you try to rent a new apartment. You'd have to lift the freeze temporarily to solve that problem.

Read more: Here's why you should stop using paper checks

Set up fraud alerts. If you were alerted to possibly being a fraud victim, you can set up a fraud alert. You can establish one with any of the three major credit bureaus; it prompts lenders to take extra steps to verify your identity before granting new credit. An initial fraud alert is free and will stay on your credit file for at least 90 days.

If you are the victim of fraud or identity theft, you should file a police report and provide the police with copies of your credit reports, any relevant correspondence and copies of disputed bills.

For your records, keep a log of your conversations with creditors, law enforcement officials and other relevant parties.

Review your credit reports. The Federal Trade Commission recommends that you review your credit reports and account statements periodically. You can obtain a copy of your credit reports every 12 months directly from Equifax, Experian and TransUnion, or by visiting annualcreditreport.com or calling (877) 322-8228.

When you receive your report, look for credit inquiries that you didn’t initiate or do not recognize as well as inaccurate information, such as an incorrect home address or Social Security number.

When reviewing your report, if you see something you don’t understand, call the credit bureau at the telephone number on the report.

If you detect any suspicious activity on an account, you should promptly notify the financial institution or the company that maintains the account. You should also report any fraudulent activity or any suspected incidents of identity theft to law enforcement.

Sign up for Essential California for news, features and recommendations from the L.A. Times and beyond in your inbox six days a week.

This story originally appeared in Los Angeles Times.