Panera Bread’s Website Leaked Customer Information For Months

Panera Bread’s website reportedly exposed millions of customer records for months, until the site was taken offline completely. The site ( was taken down a few days ago, and is down as of this writing.

Casimiro PT /

The user account information exposed by the site included names, email addresses, physical addresses, birthdays, and the last four digits of customer credit card numbers, according to Krebs on Security. Brian Krebs wrote, “At last count, the number of customer records exposed in this breach appears to exceed 37 million.”

Panera’s own statement claimed that only 10,000 customers were affected by the breach — a statement which was disputed by Krebs and others.

A Medium post from security researcher Dylan Houlihan gives further information about the incident, and it appears to show just how flippantly Panera Bread treated the data issue from the get-go.

The post, titled “No, Panera Bread Doesn’t Take Security Seriously,” includes alleged email screenshots from Houlihan, in which he warns Panera Bread Information Security Director Mike Gustavison of the site’s vulnerability back in August 2017.

Houlihan found Gustavison to be accusatory, and his ultimate response to be “not appropriate whatsoever.” The site’s vulnerability remained until the last few days, when Houlihan approached Krebs, who posted the article about the vulnerability.

Leeks…Or Leaks?

It remains to be seen how Panera Bread will deal with this particular incident going forward. The company’s site is down, and the chain’s Twitter account has yet to tweet anything about the leak.

Hopefully, Panera will take the time to fully fix any vulnerability on its site. But it certainly appears that the company didn’t take a legitimate warning seriously, and allowed the vulnerability to linger for months.

This particular incident illustrates the need for greater overall corporate responsibility when it comes to cybersecurity — it’s not just an issue with Panera Bread. Companies need to treat customer private data as if it was their own, and if they aren’t willing to do so, we’d hope that some meaningful legislation could change that.

Phil Dzikiy

Phil Dzikiy

Phil Dzikiy is the former editor in chief of Security Baron. Before, he has worked as a freelance writer and editor at websites like and along with publications like the Lockport Union Sun & Journal and the Greater Niagara Newspapers. With digital and print experience under his belt, Phil has a passion for all things technology including home security, cyber security, and the smart home. His bachelor's degree in Journalism from the University of Maryland College Park initially landed Phil his first job at the Beaver County Times, which has lead to over 15 years of experience as a journalist.

Trending News

Follow Us