The company has more than 2,100 retail locations in the United States and Canada, its customers could order food online for pickup in stores or for delivery.
Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.
On Monday, the popular security expert Brian Krebs reported a bug affecting the Panera’s website that left millions of customer records exposed in plain text.
Exposed data included names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards.
The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.
The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.
In a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.
Houlihan verified that the issue was not fixed and on April 2nd reported it to Brian Krebs.
“Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.” states the blog post published by Krebs.
This incident is disconcerting for many aspects, such as the response of the company and the way it managed customers’ data.
Only after Brian Krebs contacted Panera Bread, the company took the website offline.
“It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.” continues Krebs.
“It’s also unclear whether any Panera customer account passwords may have been impacted.”
Panera told Fox Business that the data leak affected only about 10,000 records but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.
In a written statement, Panera declared it had fixed the problem within less than two hours of being notified by Brian Krebs, but the expert correctly asked why Panera did not explain why it has taken eight months to fix the issue after Houlihan reported it.
(Security Affairs – Panera Bread, Data Leak)