Panera Bread Data Leak May Have Hit Millions: Report

Panera Bread has become the latest US restaurant chain to be exposed by poor cybersecurity after its website leaked personal data on millions of customers, according to reports.

The popular bakery-café business, which has over 2100 outlets nationwide, failed to fix an issue with its website for at least eight months, according to journalist Brian Krebs.

He claimed that researcher Dylan Houlihan first notified the firm about the leak in early August 2017. Despite being told by director of information security, Mike Gustavison, a week later that the firm was “working on a resolution,” it remained unfixed, according to the report.

The leaked records apparently included names, email and physical addresses, birth dates and the last four digits of the credit card numbers. Even worse, the information was said to be easily indexable by automated tools.

The website was taken offline briefly and the data made inaccessible, but only after Krebs spoke to CIO John Meister.

A statement from the firm had the following:

“Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

However, in a further twist, it has been claimed that the vulnerability affected far more customers than originally thought, extending to the firm’s commercial division. Estimates have put the figure in excess of 37 million.

The site was offline again at the time of writing.

Imperva CTO, Terry Ray, claimed the FTC and PCI regulators may be keen to scrutinize this particular incident.

“Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found,” he explained. 

“It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April. They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted?"

What’s Hot on Infosecurity Magazine?