Was Panera Bread Breached?

People may wonder about whether or not Panera Bread breached sensitive customer data. Fox News says one thing, while CNN says another. And misleading headlines cause further headaches for readers. But the truth is, we are not sure if they lost the data, but they definitely left it exposed for at least 8 months.

Panera bread has many locations across the country, so many people are fairly familiar with them. They serve sandwiches, salads, and other cafe staples that many people enjoy. But sadly their online “security” left many people’s data available to anyone to access.

The issues discovered.

A security researcher named Dylan Houlihan first discovered the issue 8 months ago. As a customer of the company and a responsible researcher, he was concerned with his findings. He reached out to Panera Bread’s security head right away, and shared the details of the issue.

Panera Bread’s online orders portal leaked customer names, emails, phone numbers, and the last four digits of saved credit cards. Any attacker aware of the issue could retrieve the data easily. And because of how they filed the data, it was easy to collect large amounts of it at once.

Mike Gustavision, the security chief at Panera Bread at the time, confirmed days later that they planned to fix the issue. But Houlihan continued checking for the issue to make sure they resolved it. Unfortunately, 8 months later, the issue was still there.

Going to the press.

Frustrated with the exposure of his and many other people’s data, Houlihan contacted Brian Krebs with the information. Krebs picked up the story and soon confirmed it, finding an estimated 7 million records at risk. The figure was just his best guess at the time, based on limited information.

Albuquerque Panera Bread Breached Data Lost
The data left on Panera Bread’s website exposed card numbers, names, emails, and phone numbers, all in plain text. (Source, KrebsOnSecurity.com)

Krebs then contacted John Meister, the current CIO at Panera Bread, with questions about the issue. Soon after, the online orders website was down for maintenance as they worked on the problem.

It’s worth noting that Krebs did not publish the story before alerting Panera Bread. But though they said they resolved the problem, worse news was yet to come.

More research performed.

Panera Bread responded with typical responses such as, “We take data security very seriously.” In a statement to Fox, they downplayed the risks to the public, stating that only about 10,000 accounts were at risk. But soon after, researchers dug further.

Hold Security found they hadn’t resolved the issue, you just had to create a user account to access the data now. And to make matters worse, the issue affected catering customers too. This meant that the site exposed closer to 37 million customer records.

Albuquerque Panera Bread Breached 37 million records
This tweet from Brian Krebs pointed out that the issue was more wide spread than initially believed. (Source, Twitter, @BrianKrebs)

Later the same day, the Panera Bread took down their entire site. It has since come online, and there’s been no word yet of further leaks. But the way they handled the exposure is concerning.

So was Panera Bread Breached?

As we mentioned, it is uncertain. The data was out in the open for at least 8 months. We don’t know if anyone accessed it during that time, but it was easy to do. Plus, after they claimed they fixed it, researchers found otherwise. During that time, just about anyone could have accessed the data. So it may be wise to act as though Panera Bread breached the data.

It is highly likely that they at least lost some if not all of the data. Full names, emails, phone numbers, and partial credit card numbers are all useful in scams. If you made an account at Panera Bread and saved your payment card, attackers may have this data.

Remember, anyone who made an account at Panera Bread’s website may be affected, so the people of Albuquerque are not immune from this breach.

Albuquerque Panera Bread Breached Next Steps

So what should I do?

If you made an account at Panera Bread’s online order site, you need to be on the look out for scam emails and phone calls. Criminals may use the partial data of your credit card to sound like an official institution. If they appear genuine enough, they may trick you into giving them more data so that they can use your card.

It may also be wise to consider contacting your bank or card issuer. Banks do not want to deal with credit card fraud either— in the end it costs them money. So inform them of the possible breach and they will often replace your card. If the last four digits of your stolen card do not match your new one, it will be harder to actually scam you.

Also be sure to consider that scams could happen more often on the phone and email you gave Panera. These may be harder to change, depending on the information you gave, but keeping in mind that scams may occur can save you from a costly mistake. Be extra cautious on these particular forms of communication.

Astria is here to help!

Finally, in the case of email, proper filtering services can cut a lot of scams off before they reach you. Astria Business Soltuions has many products to fit your needs, and we are happy to help you however we can. Email filtering prevents much of the junk, scams, and malware from ever reaching your inbox.

Whether or not Panera Bread breached your data, Haider Consulting is ready to secure your businesses— contact us today for help!