Technology

Panera Bread said to have left customer data compromised for months

The chain reportedly sat on information about the web vulnerability, which sources outside the brand say could have exposed the records of millions of customers.

Security experts are blasting Panera Bread for failing to plug a chink it its data protection system, even though no information was swiped.

While the chain asserts that the problem has been fixed as of April 2, it left thousands of customer records vulnerable through its website, Panerabread.com, for months, according to KrebsOnSecurity.com.

Independent security researcher Dylan Houlihan contacted Panera Information Security Director Mike Gustavison to report that he’d found exposed customer information in August 2017, according to KrebsOnSecurity. Gustavison acknowledged the issue, responding in August to Houlihan via email that “We are working on a resolution.”

Fast-forward several months, and Houlihan said customer information was still accessible. Panera briefly took its website offline April 2 after KrebsOnSecurity reached out about the problem and its lack of resolution. The company said it took the site offline to “conduct essential system maintenance and site enhancements.” The customer data no longer appears to be available on the site.

In a statement obtained by KrebsOnSecurity, Panera says that the issue has been resolved. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” the statement says.

The statement also says that Panera fixed the problem within two hours of being notified of the vulnerability by KrebsOnSecurity. The chain has yet to explain why it took several months to make the fix after being contacted by Houlihan.

Compromised information included names, email and physical addresses, birthdays, the last four digits of customers’ credit card information, and loyalty card numbers.

The data leak affected records of customers who created an account to order food through the site. Panera has said that only 10,000 customer records were exposed, while other sources estimate that it could be millions. The chain did not respond to inquiries about the breach.

Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.

Multimedia

Exclusive Content

Operations

Panera Bread's turbulent transformation

It has been a rocky couple years of change for the iconic fast-casual brand. With the search for a new CEO underway, here's what that new leader will be taking on.

Financing

Restaurants greet 2025 with optimism and anxiety

Consumer confidence is improving and other economic indicators are trending up, operators said at this year’s ICR conference. But traffic remains a challenge.

Financing

Fire the CEO at your own risk

The Bottom Line: Excessive management turnover at companies can create their own set of problems as new executives look to make their mark. The restaurant industry is loaded with examples.

Trending

More from our partners