Panera Bread May Have Just Exposed Millions of Customers’ Personal Data
Millions of Panera Bread customers may have had their personal data exposed by the fast-casual restaurant chain, according to security experts.
Until Monday, scores of customer information — including names, email addresses, home addresses, birth dates and final four credit card digits — was accessible as plain text on the company’s website, according to a report from security writer Brian Krebs. It’s not clear whether anyone actually accessed any of the data, which was supplied by customers who had made accounts for food delivery and other services.
The problem was first identified by security researcher Dylan Houlihan, who supplied Krebs with emails dating back to August 2017 that show Houlihan informing Panera’s information security director about the leak. “Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” Houlihan wrote in a Medium post.
Panera said the issue had been resolved and affected fewer than 10,000 customers in a statement provided to Fox News on Monday. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” the statement reads.
Krebs, however, responded to that statement on Twitter, suggesting that the problem may have been much larger than Panera let on, and that vulnerabilities remained on the website. He estimates that as many as 37 million Panera members may have been caught up in the breach, even higher than his initial estimate of 7 million.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise