Panera Bread data breach: 37 million users data might be leaked

Everyone who has an account on PaneraBread.com should worry about their privacy

American chain bakery-cafe Panera Bread did not protect their clients. Millions of users who took advantage of the food ordering service should worry about their privacy because their names, contact details, addresses, and last four digits of the credit card numbers were leaked from PaneraBread.com website.

The data breach was reported at the beginning of April. However, it seems that the problem could have been avoided. On the 2nd of August 2017, security researcher Dylan Houlihan^[1] reported Panera’s director of information security about data being leaked from their site. He was told that the company is working on a fixing the issue.

However, Houlihan was keeping an eye on them and he noticed that the same security vulnerability still exists. On April this year, KerbsOnSecurity^[2] reported that customer-related information could be leaked from PaneraBread.com in plain text.

According to recent reports millions of customers full names, addresses, emails, birthdays, last four digits of credit card number and Panera loyalty card numbers were leaked. Additionally, attackers can search for customers on the database by using their phone number or other personal information.

Therefore, crooks and scammers can find personal information about a specific person and use it against them. Or they might take advantage of the loyalty cards that are associated with prepaid accounts.

PaneraBread.com went offline soon after the data leak reported

Representatives of the company said that they take data breach seriously and there working on the issue:

Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.^[3]

Panera supposedly needed less than two hours to fix the issue and report about it publicly. But if the issue was so minor why didn’t they pay attention to Houlihan’s reports in August? However, the security researcher himself doubt that the company did the proper job:

A company is incompetent enough to leave a gaping hole like this trivially open for eight months after initial notification, yet it’s competent enough to review it logs definitively within two hours of the publicity?

More critique was received soon. Information security and cyber investigation agency Hold Security reported that Panera Bread only asked customers to log in to their accounts and check exposed customer records. However, the issues were detected in company’s commercial division which makes Panera leak even bigger.

37 million users’ data might be leaked

Two hours later when a company reported about shutting down their site in order to fix the issue, Panera reported that the problem is solved. Representatives told Fox News^[4] that only 10,000 customer information was leaked. However, everyone doubted that and researchers started digging deeper.

Hold Security reported that the number of affected customers might be around 7 million. Despite the fact that this number is way more bigger than Panera Bread reported itself; it’s not it.

Researchers analyzed associated catering companies and other commercial divisions, and the same vulnerabilities were detected. The latest reports tell that around 37 million^[5] customer records were leaked.

There’s no doubt that such incident could have been avoided if a company wouldn’t have ignored the issue last August. Now the company has to deal with damage and possible risks to customers’ privacy.

PaneraBread.com users are advised to review their account information and change all the passwords. Additionally, monitoring credit card reports and banking transactions is also needed. In case, you see unrecognized money flow, report your bank immediately.