Panera Bread Website Reportedly Leaked Customer Data For Months
Following the unfortunate trend of large cooperations apparently hit by security breaches like Equifax, My Fitness Pal, and Saks and Lord & Taylor, NBC News and other outlets are reporting today that according to a security expert, Panera Bread exposed the data of millions of its customers, including their "names, emails, addresses, birthdays and partial credit card numbers."
The breach was reported yesterday by Brian Krebs, who describes himself in his Twitter bio as an "independent investigative journalist." He was contacted by security researcher Dylan Houlihan, who noticed the breach and tried to contact Panera Bread about it months ago, receiving little response.
https://t.co/Y2Phv4yUdo, the Web site for the bakery-cafe chain by the same name, leaked millions of customer records — including names, DOBs, email/street addresses, last 4 of credit card — until today: https://t.co/S3sIx99HyG Worst part: They were first notified 8 months ago pic.twitter.com/QBw5lj6FmD
— briankrebs (@briankrebs) April 2, 2018
The main thing that really chaps me about this @panerabread data breach fiasco is that the standup researcher who reported it didn't even want publicity. He suggested I didn't need to name him in my story today. And yet they ignored him. https://t.co/S3sIx99HyG
— briankrebs (@briankrebs) April 3, 2018
Houlihan outlined his communications with Panera in a Medium blog post titled, "No, Panera Bread Doesn't Take Security Seriously." He describes trying to alert the company to the problem basically offering up this information as an interested party (as a Panera customer, his own data was also in danger of being exposed), only to be basically dismissed.
Once Houlihan contacted Krebs, and Krebs made his findings of the breach public, Panera finally made a statement, after taking the website down a few times. In a statement sent to CNBC, Panera's chief information officer John Meister said,
Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.
But Krebs kept checking the site, and saying that he could still access the leak, maintaining that the numbers of affected customers were much higher than the 10,000 or so that Meister mentioned.
Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? https://t.co/AJeiq6Dfd0
— briankrebs (@briankrebs) April 2, 2018
The Panera website was down for a bit, hopefully because the company is taking a closer look at its security issues. Houlihan sums the situation up at the end of his Medium post: "Until we start holding companies more accountable for their public statements with respect to security, we will continue to see statements belying a dismissive indifference with PR speak... When Panera Bread says 'We take security seriously,' they mean 'We didn't take it seriously enough.'"