- Hollis Johnson
- Panera Bread’s website reportedly allowed anyone to access customers’ personal information, including names, addresses, and partial credit card numbers.
- A security researcher says he reached out to Panera eight months ago about the leak, but that the company did nothing until Monday.
- “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera’s CIO said in a statement.
Panera Bread is under fire for reportedly spending months ignoring a website flaw that exposed thousands of customers’ personal information.
For at least eight months, Panera’s website leaked customer records, cyber security blog KrebsOnSecurity reported Monday. Information reportedly included the names, email and physical addresses, birthdays, and partial credit card numbers of any customer who signed up to order Panera online.
According to KrebsOnSecurity, security researcher Dylan Houlihan realized that the information was visible and easily accessible in plain text from Panera’s site in August. Houlihan reportedly reached out to Panera, but he says the company failed to make any changes.
“The flaw never disappeared,” Houlihan told KresbsOnSecurity. “I checked on it every month or so because I was pissed.”
When KrebsOnSecurity contacted Panera about the issue, the company briefly took its online ordering website offline on Monday. But the flaw was not immediately fixed when the website went back online, according to a blog post written by Houlihan, as well as the findings of other security experts.
clearly the fact that @panerabread web site is still online is testament to the notion that the company has no idea what's going on, security-wise. Shall I begin tweeting more links? When will you call in the professionals who do security for a living?
— briankrebs (@briankrebs) April 3, 2018
Later in the day on Monday, Panera took the site offline again and has apparently fixed the flaw.
A representative from Panera said the company’s investigation indicates “fewer than 10,000 consumers have been potentially affected,” a figure that KrebsOnSecurity founder Brian Krebs argued was highly unlikely.
Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported.
— briankrebs (@briankrebs) April 2, 2018
KrebsOnSecurity reports that the issue impacted “millions” of customers, with estimates as high as 37 million, as it seems anyone who signed up to order food online from Panera could have had their information leaked.
“Panera takes data security very seriously and this issue is resolved,” John Meister, Panera Bread’s CIO, said in a statement to Business Insider.
“Following reports today of a potential problem on our website, we suspended the functionality to repair the issue,” Meister continued. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”