April 4, 2018 by

Panera Bread Breach Could Affect Over 37 Million Customer Records

Popular bakery chain Panera Bread has been leaking millions of customer records in the for at least eight months in plain text, it has been revealed.

Panerabread.com, the website for popular St. Louis-based chain of bakery-café casual restaurants has leaked, on last count by cybersecurity research resource KrebsonSecurity, over 37 million records in a comprehensive data breach. Customers’ personal data, including names, email and physical addresses alongside birthdays and the last four digits of customers’ credit card numbers were all available in plain text from Panera’s site. The details were left exposed on the website, available for anyone to scoop them up.

The leak of customer data was first discovered by security professional Dylan Houlihan in plain text from August 2017.  The claims were shot down by the company with a series of emails and false accusations claiming the researcher was a scammer or was interested in a bounty. Finally, Panera Bread’s information security director Mike Gustavison addressed the concern and confirmed the company was working on a resolution.

Eight months later, Houlihan publicized the leak after seeing no developments toward fixing the security holes by reaching out to noted cybersecurity journalist Brian Krebs. Panera Bread has since download the severity of the data breach, telling Fox News only “10,000 customer records were exposed.”

“Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps,” Panera Bread’s chief information officer John Meister said, insisting the company had fixed the security flaw.

However, Krebs discovered this wasn’t the case.

“Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records),” Krebs wrote.

Notably, he added:

The vulnerabilities also appear to have extended to Panera’s commercial division which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.

Image credit: Flickr.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

US Health Department Outlines Breach Notification Guidelines

The US Department of Health & Human Services (HHS) has clarified its requirements for entities...

Read more arrow_forward

Delta Airlines Admits to Data Breach of ‘Several Hundred Thousand' Customers

Major airline operator Delta has said that a cyberattack targeting a third-party contractor has...

Read more arrow_forward

Hackers Steal 5 Million Payment Cards in Saks, Lord & Taylor Data Breach

The ongoing wave of large-scale retail data breaches isn’t about to come to an end any time soon...

Read more arrow_forward