Panera Bread is facing at least seven lawsuits filed in recent weeks in federal court after another data breach in January potentially compromised personal information of current and former customers.
The fast-casual chain discovered that an unauthorized third party gained access to its data network in a cybersecurity incident. According to the lawsuits, the exposed data includes customer names, phone numbers, addresses, email addresses, genders, birthdates and purchase histories.
It was the latest in a series of cyber attacks at Panera. Last year, the chain agreed to a $2.5 million settlement of a class-action lawsuit filed by Panera workers after a security breach shut down the fast-casual chain’s digital channels for about three days. Workers in that case said they were not notified that their personal information was compromised until weeks or months later.
The chain was also victim of an attack in 2018 that reportedly gave hackers access to customer data for at least eight months before being caught and stopped.
In the more recent incident, a hacker group known as ShinyHunters reportedly claimed it had stolen more than 14 million customer records. But other reports indicate the leaked dataset more likely impacted about 5.1 million unique people.
Paul Carbone, CEO of Panera Bread, on Monday confirmed that a “social engineering incident” resulted in unauthorized access to a third-party SaaS application, but the problem was fixed.
“We had independent security experts. We quickly identified the cause and strengthened controls for that third-party application,” he said. “And, importantly, the data involved did not include any payment information, employee systems, MyPanera accounts, or Unlimited Sip Club.”
The company, however, could not comment on the pending litigation.
The plaintiffs in the seven lawsuits have asked the court to consolidate the complaints as a class action, arguing that Panera failed to implement basic security procedures to protect customer data, even though they suffered a similar attack less than two years ago.
Some of the complaints also argue that Panera failed to provide timely notification of the data breach to the individuals affected.
Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.