Panera Bread exposed the records of 37 million customers – including addresses and the last four digits of their credit card – on its website, a report has revealed.
The information, which also included names, email addresses, and birthdays, could have been breached for at least eight months, according to KrebsOnSecurity.
Investigative cybercrime journalist Brian Krebs found that these records were available in plain text from panerabread.com, which customers can use to order food online for delivery or pick-up.
Panera Bread exposed the records of 37 million customers – including addresses and the last four digits of their credit card – via its website, a report has revealed
Krebs said Panera Bread was informed of the breach back in August by security researcher Dylan Houlihan.
Houlihan shared emails with Krebs dated August 9, 2017 in which Panera’s director of information security, Mike Gustavison, said the company was ‘working on a resolution’.
But Houlihan said the flaw ‘never disappeared’.
‘I checked on it every month or so because I was pissed,’ he told Krebs.
The journalist then found that customer records could still be easily indexed on the site with ‘very little effort’.
The information, which also included names, email addresses, and birthdays, could have been breached for at least eight months on panerabread.com (pictured)
Panera Bread was informed of the breach back in August by security researcher Dylan Houlihan, who notified Panera’s director of information security Mike Gustavison
‘The format of the database also lets anyone search for customers via a variety of data points, including by phone numbers,’ Krebs added.
Krebs noted that customers’ Panera loyalty card numbers were also exposed, which could be potentially abused by scammers.
And further research revealed that the breach also extended to Panera’s commercial division, which encompasses catering companies as well.
Krebs said the website was briefly taken offline after he spoke to Panera’s chief information officer.
Panera revealed on Monday it had ‘resolved’ the security flaw and claimed it affected ‘fewer than 10,000 consumers’.
The website was briefly taken offline on Monday before Panera issued a statement saying it had ‘resolved’ the security flaw
‘Panera takes data security very seriously, and this issue is resolved,’ Panera Bread Chief Information Officer John Meister told FOX Business.
‘Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.’
‘Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.’
‘Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.’