facebook pixal

Panera Bread said to have left customer data compromised for months

The chain reportedly sat on information about the web vulnerability, which sources outside the brand say could have exposed the records of millions of customers.

Security experts are blasting Panera Bread for failing to plug a chink it its data protection system, even though no information was swiped.

While the chain asserts that the problem has been fixed as of April 2, it left thousands of customer records vulnerable through its website, Panerabread.com, for months, according to KrebsOnSecurity.com.

Independent security researcher Dylan Houlihan contacted Panera Information Security Director Mike Gustavison to report that he’d found exposed customer information in August 2017, according to KrebsOnSecurity. Gustavison acknowledged the issue, responding in August to Houlihan via email that “We are working on a resolution.”

Fast-forward several months, and Houlihan said customer information was still accessible. Panera briefly took its website offline April 2 after KrebsOnSecurity reached out about the problem and its lack of resolution. The company said it took the site offline to “conduct essential system maintenance and site enhancements.” The customer data no longer appears to be available on the site.

In a statement obtained by KrebsOnSecurity, Panera says that the issue has been resolved. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” the statement says.

The statement also says that Panera fixed the problem within two hours of being notified of the vulnerability by KrebsOnSecurity. The chain has yet to explain why it took several months to make the fix after being contacted by Houlihan.

Compromised information included names, email and physical addresses, birthdays, the last four digits of customers’ credit card information, and loyalty card numbers.

The data leak affected records of customers who created an account to order food through the site. Panera has said that only 10,000 customer records were exposed, while other sources estimate that it could be millions. The chain did not respond to inquiries about the breach.

Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.


More from our partners