CBS Local — Panera Bread has been accused of leaking the personal information of millions of their customers. The data breach was reportedly discovered in August of 2017 but nothing was done to correct the leak for eight months.
A report from KrebsOnSecurity.com claims that Panera’s website exposed the information of up to 37 million people who created an account to order food online from the bakery chain. Names, email addresses, home addresses, birthdays, and credit card numbers were all reportedly left in a plain text file on the company’s website.
“The #data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via https://t.co/bb6lemD2fK.” https://t.co/Ds5bD3ud9s #breach #cybersecurity pic.twitter.com/ZGPv3RlIvH
— Kayne McGladrey has been to Texas (@kaynemcgladrey) April 3, 2018
Internet security writer Brian Krebs says the unprotected files were first reported to Panera on Aug. 2. Security researcher Dylan Houlihan alerted Panera to the leak however, his claims were allegedly dismissed by director of information security Mike Gustavison.
“Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text,” Krebs wrote on April 2.
Panera released a statement shortly after the report downplaying their lack of security. Company officials claim less than 10,000 customers were affected by the leak. Krebs immediately took to Twitter to challenge Panera’s claim and reveal that the chain’s effort to fix the problem still left millions of customers on their catering registry exposed.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site
— briankrebs (@briankrebs) April 2, 2018
Coincidentally, Gustavison previously worked for Equifax as their chief of security operations from 2009 to 2013. That company was also involved in a massive data breach scandal last year after Equifax revealed that over 143 million people had their personal information hacked.
“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera’s information officer John Meister told Reuters.