Panera Bread issued a statement to Fox News this week saying it resolved a data breach that exposed the personal information of “thousands” of customer records. However, according to KrebsOnSecurity, the company was first alerted to the issue by security researcher Dylan Houlihan eight months ago but initially dismissed it as a likely scam.
The breach shows customer data available in plain text and appears to include records for any customer who signed up to order food via Panera’s website, panerabread.com. Revealed information includes individuals’ names, emails, physical addresses, birthdays, and the last four digits of the credit card used.
The formatting, which uses incremental unique identifiers, makes the data easy to scrape. “Panera Bread uses sequential integers for account IDs,” Houlihan told KrebsOnSecurity, “which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database.”
KrebsOnSecurity says Houlihan contacted Panera on August 2nd, 2017, and then again to follow up a week later. A shared a message thread between Houlihan and Mike Gustavison, Panera’s director of information security, shows that Panera did eventually validate Houlihan’s findings, saying the company was working on a fix. However, as of yesterday, the website was still leaking data. Houlihan says the flaw continued to exist, and he “check[ed] on it every month or so because I was pissed.”
KrebsOnSecurity spoke with Panera’s chief information officer John Meister yesterday and the company briefly took the website offline. It has since returned, and the data is no longer reachable. However, the company had no comment as to why it allowed the problem to exist for months after it acknowledged it was an issue last August. KrebsOnSecurity says the number of accounts affected may be as high as 37 million, despite Panera disputing that only 10,000 records were exposed.
“Panera takes data security very seriously and this issue is resolved,” the company said in a written statement. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
Several companies have had sizable data breaches in the past year: Orbitz may have exposed information tied to about 880,000 credit cards, OnePlus temporarily shut down credit card payments for its online store after it said up to 40,000 customers were affected by a breach in January, and malware stole Chipotle customer credit card information from restaurants in every state the chain operates in.