Popular bakery chain Panera Bread has been leaking millions of customer records in the for at least eight months in plain text, it has been revealed.
Panerabread.com, the website for popular St. Louis-based chain of bakery-café casual restaurants has leaked, on last count by cybersecurity research resource KrebsonSecurity, over 37 million records in a comprehensive data breach. Customers’ personal data, including names, email and physical addresses alongside birthdays and the last four digits of customers’ credit card numbers were all available in plain text from Panera’s site. The details were left exposed on the website, available for anyone to scoop them up.
The leak of customer data was first discovered by security professional Dylan Houlihan in plain text from August 2017. The claims were shot down by the company with a series of emails and false accusations claiming the researcher was a scammer or was interested in a bounty. Finally, Panera Bread’s information security director Mike Gustavison addressed the concern and confirmed the company was working on a resolution.
Eight months later, Houlihan publicized the leak after seeing no developments toward fixing the security holes by reaching out to noted cybersecurity journalist Brian Krebs. Panera Bread has since download the severity of the data breach, telling Fox News only “10,000 customer records were exposed.”
“Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps,” Panera Bread’s chief information officer John Meister said, insisting the company had fixed the security flaw.
However, Krebs discovered this wasn’t the case.
“Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records),” Krebs wrote.
Notably, he added:
The vulnerabilities also appear to have extended to Panera’s commercial division which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.
Image credit: Flickr.