Panera Leaves Customer Data Exposed Online For Months

National Stores Breach

Panera revealed the data of millions of customers for eight months or more before removing it from the bakery restaurant’s website Monday (April 2), reported KrebsOnSecurity.

According to KrebsOnSecurity, the data, which includes names, email and physical addresses, birthdays, loyalty card numbers and the last four digits of credit card numbers, was visible in plain text on the Panerabread.com website for anyone that was signing up to place online food orders from the website for pickup or delivery.  The data, according to the report, was searchable by different categories including loyalty account number. Web visitors, for example, could search by phone number or email address.

KrebsOnSecurity said it was alerted to the leak by Dylan Houlihan, a security researcher that had let Panera know about the issue on August 2, 2017. Citing an email thread between Houlihan and what appears to be Mike Gustavison, Panera’s director of information security, the security researcher’s information was dismissed initially as a scam — but then, a week later, it was implied in an email that Panera was working to correct the situation, with Gustavision writing, “Thank you for the information we are working on a resolution,” reported KrebsOnSecurity.  As of April 2, however, the data was still available in plain text and could still be indexed and searched.  “Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Houlihan told KrebsOnSecurity. The report noted that shortly after Panera was contacted for comment on the matter, the information was removed from the website.

It’s not clear the number of customers that were impacted by the data leak, but based on customer numbers indexed by Panera, it could amount to more than 37 million, reported KrebsOnSecurity. It’s also not clear if customer account passwords were impacted as a result of the issue. “Panera takes data security very seriously and this issue is resolved,” Panera said in a statement to KrebsOnSecurity. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.” In a subsequent statement to Fox News, KrebsOnSecurity said the company claimed the breach only impacted 10,000 customers. But Hold Security, a research firm, contends the data breach could have impacted more than 7 million customers, with the data vulnerability also extending to the company’s catering for companies unit. All told, KrebsOnSecurity thinks more than 37 million customers’ account information may have been inadvertently leaked.