Published: Thu, April 05, 2018
Sci-tech | By Spencer Schmidt

Panera Bread says customer information leak is patched

Panera Bread says customer information leak is patched

Krebs noticed months later that the customer data was still accessible, something that Houlihan confirmed.

Panera Bread did apparently just that.

Houlihan wrote that Gustavison, the information security director at Panera he corresponded with in August, was senior director of security operations at Equifax from 2009 to 2013. Panera confirmed the problem, saying it affected only 10,000 of its customers. Houlihan notified the company about the problem in August 2017 and got a response promising that its team was "working on a resolution", but it didn't take down the info until KrebsOnSecurity got involved - twice.

The data included customer names, email addresses, physical addresses, dates of birth and loyalty card numbers, as well as the last four digits of credit card numbers.

Nearly minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed. However, Houlihan noticed a huge bank of enumerable data that a hacker could easily crawl through mining for customer information.

Houlihan's warning was dismissed as a scam initially.

He said he contacted Mike Gustavison, Panera's director of information security.

Site owner Brian Krebs, a former Washington Post reporter, was tipped off to this story by security researcher Dylan Houlihan.

No payment information or full credit or debit card numbers were stolen, the report said. At last count, the number of customer records exposed in this breach appears to exceed 37 million.

Millions of Panera Bread customers may have had their personal data exposed by the fast-casual restaurant chain, according to security experts.

New York-based e-commerce fraud prevention firm Forter says its research shows that QSR companies are especially vulnerable to fraud attacks.

Fetching millions of accounts via query could be a challenge if Panera used a more secure non-intuitive account numbering scheme.

The security aspect of cyber is even tougher if you ignore it for months.

However, as of yesterday, the website was still leaking data.

Do you use the Panera Bread website?

Like this: