Panera Bread’s website reportedly exposed millions of customer records for months, until the site was taken offline completely. The site (panerabread.com) was taken down a few days ago, and is down as of this writing.
The user account information exposed by the site included names, email addresses, physical addresses, birthdays, and the last four digits of customer credit card numbers, according to Krebs on Security. Brian Krebs wrote, “At last count, the number of customer records exposed in this breach appears to exceed 37 million.”
Panera’s own statement claimed that only 10,000 customers were affected by the breach — a statement which was disputed by Krebs and others.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site
— briankrebs (@briankrebs) April 2, 2018
A Medium post from security researcher Dylan Houlihan gives further information about the incident, and it appears to show just how flippantly Panera Bread treated the data issue from the get-go.
The post, titled “No, Panera Bread Doesn’t Take Security Seriously,” includes alleged email screenshots from Houlihan, in which he warns Panera Bread Information Security Director Mike Gustavison of the site’s vulnerability back in August 2017.
Houlihan found Gustavison to be accusatory, and his ultimate response to be “not appropriate whatsoever.” The site’s vulnerability remained until the last few days, when Houlihan approached Krebs, who posted the article about the vulnerability.
It remains to be seen how Panera Bread will deal with this particular incident going forward. The company’s site is down, and the chain’s Twitter account has yet to tweet anything about the leak.
Hopefully, Panera will take the time to fully fix any vulnerability on its site. But it certainly appears that the company didn’t take a legitimate warning seriously, and allowed the vulnerability to linger for months.
This particular incident illustrates the need for greater overall corporate responsibility when it comes to cybersecurity — it’s not just an issue with Panera Bread. Companies need to treat customer private data as if it was their own, and if they aren’t willing to do so, we’d hope that some meaningful legislation could change that.