When the news broke that Petco suffered a data breach that could have exposed the personal data of millions of customers, the conversation here at PCMag was, “Why does Petco store social security numbers?” There are probably legitimate reasons, but it was still both surprising and a good example of exactly how much private information every company has on its customers.
Petco says its informing affected customers, and didn’t mention how many customers were affected in its announcement about the hack, but if you’re a Petco shopper or have adopted a companion from a Petco store, keep an eye on your inbox in case your social security number, name, email address, date of birth, driver’s license, bank account numbers, or credit or debit card info (all of which were lost in the breach) were compromised. The company is advising customers to watch out for the usual scam attempts that come from data breaches, like phishing attacks or scam messages.
Luckily, we have a guide on what to do if your data has been lost in a breach, and we just published a guide to avoid spear phishing attacks, where a scammer uses information gleaned from breaches like this one to target you directly. Spear phishing used to be exclusively targeted at high-profile individuals or valuable targets, but in the age of AI, it’s so easy that scammers cast their net wide to catch anyone they can.
Anyway, some good news: There’s one week left to get up to $7,500 from AT&T’s $177 million data breach settlement, so if you qualify, now is the time to act.
Finally, if you’re like approximately 43% of Windows users, you’re still on Windows 10, even though Microsoft would really like you to upgrade. It’s OK, we won’t tell if you don’t, but we are here to ensure that your Windows 10 PC doesn’t fall victim to malware just because it’s technically end of life. The short version is that you need an antivirus that’s better than Microsoft Defender to keep you safe, but the longer version is worth clicking through to read. And speaking of personal security, we know that it can be tempting to opt for the free option when searching for security tools, but when it comes to VPNs, free often comes with significant drawbacks. There are some very good free VPNs out there, don’t get us wrong, but if protecting your privacy is why you use one, you may want to consider free VPNs as a test drive and then upgrade to one of the best VPNs (or even a good, cheap VPN) when you can.
Arizona AG Sues Temu Over ‘Stealing’ User Data
Everyone from major online retailers to fast food chains loves it when you install their apps, because they have a direct line to all the useful data your phone provides. So when any government or regulatory body stands up to complain about the amount of data that a retailer collects, it’s worth paying attention to. In this case, as Dark Reading reports, the state of Arizona is accusing Temu of harvesting way more sensitive and personal data than required for a retail app. The state is also accusing the company of doing it without proper consent, in violation of the Arizona Consumer Fraud Act.
For its part, Temu denies the allegations, although its response focuses less on how much data it collects and why, and instead emphasizes the value proposition it offers: affordable goods to consumers on a budget. This isn’t just semantic bickering, though. The Arizona state attorney general states that a review of the Temu app’s code reveals it’s designed to evade front-end security and behaves like spyware, actively changing itself depending on whether the app can detect it’s being examined forensically. We’ll have to wait to see how the lawsuit plays out in the courts, but it’s fair to say that if Arizona makes some headway in getting Temu to clean up its app, other major retailers like Amazon won’t be far behind when it’s their turn for scrutiny.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
US Treasury: Ransomware Payments Surpassed $4.5 Billion
When we say that ransomware is the biggest threat to corporate information security, this is what we mean. Security Week reports that American companies have paid out over $4.5 billion to attackers holding their data hostage through ransomware. As always, though, the issue is that the money is usually paid out in crypto, and payment is never a guarantee that you’ll get the decryption key to restore your data, or even eliminate the problem that caused the attack in the first place. We’ve covered businesses that were forced to shut down, sometimes entirely, or needed huge bailouts to recover from ransomware attacks.
Recommended by Our Editors
The bottom line to this news is that ransomware isn’t going away and is only becoming a more significant problem for businesses of all sizes. That also means it’s more tempting to simply pay to try and make the problem go away, especially for organizations that lack the resources or funds to hire forensic experts who may still be unable to recover their data. According to Treasury Department data, the average ransomware payout is around $250,000, which is a drop in the bucket to a large company that just wants to make the problem go away, but can be crippling to, for example, a movie theater, a museum, or a hospital with patients on life support.
Prompt Injection Is a Problem That May Never Be Fixed, Warns NCSC
When people say things like “AI is here, we just have to accept that,” they’re also quietly saying that the security problems inherent with AI adoption are also things that businesses and individuals will just “have to accept,” and the UK’s National Cyber Security Centre (NCSC) is pointing out that unfortunately, the most popular method of exploiting agentic AI systems and chatbots may prove impossibly difficult to fix. The Malwarebytes blog reports that years ago, the NCSC said that prompt injection may be the SQL injection of the future, but now they’re saying it’s much, much worse.
In short, prompt injection works because AI can’t tell the difference between a legitimate command and a malicious attacker’s command, and even as large companies rush to implement AI in everything they do, there seems to be no way to make current AI technologies distinguish between the two, simply because of how they work. The NCSC’s warning does include some suggestions for building more resilient AI, especially for use in sensitive settings, but they’re at the developer level, not the user level. Combine that with the fact that many security experts are telling companies to block all AI browsers now, before it’s too late, and as powerful as these tools are, the security issues (and the data breaches) don’t look like they’ll go away anytime soon. It’ll be up to each of us to determine whether our security and privacy (among other issues) are worth the convenience these tools offer.
About Our Expert
Alan Henry
Managing Editor, Security
Experience
I’ve been writing and editing stories for almost two decades that help people use technology and productivity techniques to work better, live better, and protect their privacy and personal data. As managing editor of PCMag’s security team, it’s my responsibility to ensure that our product advice is evidence-based, lab-tested, and serves our readers.
I’ve been a technology journalist for close to 20 years, and I got my start freelancing here at PCMag before beginning a career that would lead me to become editor-in-chief of Lifehacker, a senior editor at The New York Times, and director of special projects at WIRED. I’m back at PCMag to lead our security team and renew my commitment to service journalism. I’m the author of Seen, Heard, and Paid: The New Work Rules for the Marginalized, a career and productivity book to help people of marginalized groups succeed in the workplace.
Read Full Bio
