Panera Bread has acknowledged an issue with its website that security experts say exposed the personal information of millions of customers of the American bakery chain.
Names, home addresses, email addresses and truncated credit card data for Panera Bread customers was publicly accessible in plain text through the chain’s website this week, eight months after its director of information security was first alerted, the KrebsonSecurity blog reported Monday.
Security researcher Dylan Houlihan said he notified Panera Bread about the vulnerability on Aug. 2, and that he contacted security reporter Brian Krebs on Monday after realizing the website was still leaking data.
“Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” Mr. Houlihan said.
Panera Bread acknowledged the breach Monday but said that far fewer people were affected than the roughly seven million Mr. Krebs first reported.
“Panera takes data security very seriously, and this issue is resolved,” John Meister, Panera Bread’s chief information officer, said in a statement. “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”
Mr. Krebs and Mr. Houlihan said the issue wasn’t revolved, however, and that the vulnerability remained across Panera’s website following Mr. Meister’s statement Monday, compromising more than 37 million customer records, Mr. Krebs subsequently reported.
Panera Bread did not immediately return an email seeking further comment.
“The Panera Bread incident is a textbook example of security crisis mismanagement,” said Roy Feintuch, a co-founder of Dome9, an Israeli cybersecurity firm. “What we’re seeing is poor application security design that exposes internal resources, compounded by poor incident response, negligence and pure lies.”
Michael Daly, the chief technical officer of cybersecurity for U.S. defense contractor Raytheon, agreed.
“If organizations do not have adequate governance, risk management and response structures in place, they can expect to face incidents like this one,” he said.
Based near St. Louis, Panera Bread operates over 2,100 locations in the U.S. and Canada. Compromised customer data leaked through its website included the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit for any user that had ever signed up for an account through its online delivery service, according to Mr. Houlihan.
Panera Bread assigns customers sequential integers for their account numbers, “which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Mr. Houlihan said.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.