Panera Bread's website exposed customer data for months, report says

Adjust Comment Print

Houlihan wrote that Gustavison, the information security director at Panera he corresponded with in August, was senior director of security operations at Equifax from 2009 to 2013.

The all-your-can-eat menu on its website offered online account holders' full names, home addresses, email addresses, dietary preferences, usernames, phone numbers, birthdays and the trailing four digits of saved credit cards to anyone able to construct a simple web query.

KrebsOnSecurity says Houlihan contacted Panera on August 2nd, 2017, and then again to follow up a week later.


A security researcher says he reached out to Panera eight months ago about the leak, but that the company did nothing until Monday.

To make matters worse, it seems that Panera Bread wasn't too responsive to solve the problem either.

Panera Bread is under fire for reportedly spending months ignoring a website flaw that exposed thousands of customers' personal information. It's not clear whether anyone actually accessed any of the data, which was supplied by customers who had made accounts for food delivery and other services.


'I checked on it every month or so because I was pissed, ' he told Krebs.

The website was put back online later Monday, but the data no longer appeared to be reachable, according to Krebs.

The security news website Krebsonsecurity first reported the data leak. But according to another data security firm cited by Krebs, the actual number of leaked records "appears to exceed 37 million".


Meister also said the company's investigation into the matter to date indicated that fewer than 10,000 consumers had been potentially affected and it was working to finalize the investigation and take the appropriate next steps. "Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved".

Comments