Millions of Panera Bread customers may have had their personal data exposed by the fast-casual restaurant chain, according to security experts.
Until Monday, scores of customer information — including names, email addresses, home addresses, birth dates and final four credit card digits — was accessible as plain text on the company’s website, according to a report from security writer Brian Krebs. It’s not clear whether anyone actually accessed any of the data, which was supplied by customers who had made accounts for food delivery and other services.
https://t.co/Y2Phv4yUdo, the Web site for the bakery-cafe chain by the same name, leaked millions of customer records — including names, DOBs, email/street addresses, last 4 of credit card — until today: https://t.co/S3sIx99HyG Worst part: They were first notified 8 months ago pic.twitter.com/QBw5lj6FmD
— briankrebs (@briankrebs) April 2, 2018
The problem was first identified by security researcher Dylan Houlihan, who supplied Krebs with emails dating back to August 2017 that show Houlihan informing Panera’s information security director about the leak. “Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” Houlihan wrote in a Medium post.
Panera said the issue had been resolved and affected fewer than 10,000 customers in a statement provided to Fox News on Monday. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” the statement reads.
Krebs, however, responded to that statement on Twitter, suggesting that the problem may have been much larger than Panera let on, and that vulnerabilities remained on the website. He estimates that as many as 37 million Panera members may have been caught up in the breach, even higher than his initial estimate of 7 million.
10k records, eh @panerabread ? Isn't that what you told Fox News right after my story ran? Fixed the issue, have you? How do you explain this? https://t.co/tWgSNv71TA
— briankrebs (@briankrebs) April 2, 2018
you know what, let's go for 37M instead of 7M: https://t.co/7DTaherzMi
— briankrebs (@briankrebs) April 2, 2018
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site
— briankrebs (@briankrebs) April 2, 2018
Panera later took its entire website down, and the problem appears to have been corrected. Representatives for the restaurant did not immediately respond to Fortune’s request for comment.
