Over the last eight months, tens of thousands—and possibly as many as 37 million or more—Panera Bread customers have had their personal information exposed via the fast casual chain’s website, according to KrebsOnSecurity.com.
In a blog post from Monday, Krebs noted that the security flaw meant customers’ names, emails, addresses, birthdays, and the last four digits of their credit card numbers were not safeguarded for nearly the last year. The data available in plain text from Panera’s site appeared to include records for any customer who signed up for an account to order food online via panerabread.com, Krebs said.
But in some circles, the vulnerability wasn’t exactly a secret. In fact, the potential for a breach was first noted by cyber researcher Dylan Houlihan, who contacted Panera Bread about his findings in August. Until Monday, the 2,100-unit-plus bakery chain was silent on the issue.
It’s important to note that customer data was not hacked. However, Houlihan noticed a huge bank of enumerable data that a hacker could easily crawl through mining for customer information.
Houlihan first broached the subject with Panera’s information security director, Mike Gustavison.
“There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed up for an account to order Panera Bread online,” Houlihan wrote in August of last year.
Gustavison initially thought Houlihan’s email was a scam, but later responded that Panera Bread was working on a solution. Despite Houlihan continuing to follow up, a resolution was not reached, and the website was not taken down for security reasons until this week. This came after KrebsOnSecurity spoke with chief information officer John Meister, the site said. Once it came back, the data at stake referenced above was no longer reachable.
Following the blog post, Panera denied the estimation from Krebs that millions of customer records might be at risk. Instead, they suggested that about 10,000 or fewer records had potentially been affected, and assured the public that the brand was taking the right steps toward cyber security, in a statement to Fox News. KrebsOnSecurity said the incremenatal customer numbers indexed by the site suggest that the number may be higher than 7 million, and it’s also uncertain whether Panera customer account passwords may have been impacted.
Multiple sources said Panera fixed the issue by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records, as opposed to allowing users to get there via link.
Hold Security shared additional links that suggest the data breach could be much larger than 7 million customers. In fact, as KrebsOnSecurity pointed out, the vulnerabilities also appear to have extended to Panera’s commercial division, which serves catering outlets. At last count, the number of customer records exposed in this breach appears to exceed 37 million.
While it might seem that Panera Bread got away unscathed in this situation—that a cyber researcher found the potential for a breach, not a thief—the news is still troubling for a brand with such a strong digital and mobile platform.
This news follows several high-profile security breaches in foodservice. Applebee’s faced down a hack of 160 units in March, while in limited service, Jason’s Deli, Arby’s, Sonic Drive-In, Chipotle, Pizza Hut, and Wendy’s grappled with breaches in recent months.