Panera Bread Data Breach Could Affect 37 Million Consumers

Panera Bread, the bakery-cafe that was an early pioneer of fast-casual dining, notified customers yesterday that millions were affected by a data breach stemming from the restaurant’s website.

The company knew about the at-risk data — which included names, email and mailing addresses, birthdays, and the last four digits of the customer’s credit card — for nearly a year before it took the page on its website that was leaking the data offline yesterday, according to KrebsOnSecurity. The security experts at Krebs also point out that Panera loyalty card numbers were leaked as well; these are attached to prepaid accounts, which can be used by anyone with the number.

Any consumer — including corporate and catering clients — who used Panera’s online system to order food (for pick-up or delivery) in the U.S. and Canada was affected. Based on usage data, Krebs estimates that data from at least 37 million consumers was leaked. Consumers who have used Panera’s online ordering system are encouraged to review their account information, change passwords, and monitor their credit reports.

Krebs says a security researcher, Dylan Houlihan, discovered the breach last year. When he alerted Panera, the company initially dismissed Houlihan’s concerns as a scam. A week later Panera confirmed it was working on a fix. But consumer information was out in the open in those intervening months, in which Panera did nothing to hide that information from automatic web crawlers or even novice hackers.

Panera’s website was down for several hours late yesterday.

Reached for a statement, a representative for Panera Bread told Eater:

Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.

Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.

As Krebs points out, this doesn’t explain why it took Panera so long to institute a mandatory login, or publicly acknowledge the issue. Eater has reached out to Panera for further clarification. Perhaps the sandwich company’s relative success with its mobile ordering and payment systems was too good to put the breaks on. Then again, longstanding consumer trust might just supersede that.

• Panerabread.com Leaks Millions of Customer Records [Krebs]