Panera Bread Knew About a Security Risk for 8 Months—And Didn’t Fix It
The company was informed that customer data wasn’t secure back in August.
At-risk data includes customers’ names, email and mailing addresses, birthdays, and the last four digits of credit cards. Panera Bread loyalty card numbers, which are attached to prepaid accounts, were also accessible.
Security researcher Dylan Houlihan informed the fast-casual giant of the data breach in August 2017. Houlihan reached out to Krebs on Security to notify them that Panera had not done anything to resolve the leaked information for over 8 months.
After Krebs on Security informed the public of the information breach, Panera briefly took down their website to fix the issue. As of today the data is no longer reachable, according to Krebs on Security.
Panera’s Chief Information Officer John Meister said in a statement to CNBC, "Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved."
The company claims their investigation indicates fewer than 10,000 customers have been affected by the data breach, according to CNBC. Despite this, Krebs on Security is insistent that Panera has downplayed the risk of the data breach, claiming millions are at risk.
Anyone who uses Panera Bread’s online ordering is encouraged to check their accounts, change their passwords, and monitor their credit card statements.