Published: Wed, April 04, 2018
Money | By Hannah Jacobs

Panera Bread Leaks Millions of Customer Records

Panera Bread Leaks Millions of Customer Records

Panera Bread has found itself in the hot seat after allegedly sitting on a security vulnerability for at least eight months and not taking action.

Security experts have alleged that United States bakery-cafe chain Panera Bread had "millions" of customers' personal information available and searchable on its site for at least eight months, leaving them vulnerable to identity theft. The data also included names, physical address and birthday information. An email exchange between the security researcher and Panera director of information security Mike Gustavison suggests that the company had acknowledged the problem and was working on a fix.

"Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved", Panera Bread's Chief Information Officer John Meister said in a statement.


An independent security analyst told KrebsOnSecurity.com that he'd warned Panera about the breach in August 2017.

Panera Bread knows how to make a delicious sandwich, that is something we can confidentially say (The Italian is this editor's go-to item on the menu).

But Houlihan said the flaw "never disappeared".


'The format of the database also lets anyone search for customers via a variety of data points, including by phone numbers, ' Krebs added.

The website was taken offline briefly on Monday and access to the customer data at the heart of the leak appears to have been locked down. A year ago the credit agency Equifax, meanwhile, revealed that hackers had stolen some of its customers' personal data, affecting almost 140 million people in total.

Panera later took its entire website down, and the problem appears to have been corrected. However, Panera then gave statements to other media (Reuters, Fox Business) saying that Krebs was wrong, that "fewer than 10,000 consumers" were actually affected, and that they're about "to finalize our investigation".


Like this: