CBS Local — Panera Bread has been accused of leaking the personal information of millions of their customers. The data breach was reportedly discovered in August of 2017 but nothing was done to correct the leak for eight months.
A report from KrebsOnSecurity.com claims that Panera’s website exposed the information of up to 37 million people who created an account to order food online from the bakery chain. Names, email addresses, home addresses, birthdays, and credit card numbers were all reportedly left in a plain text file on the company’s website.
Internet security writer Brian Krebs says the unprotected files were first reported to Panera on Aug. 2. Security researcher Dylan Houlihan alerted Panera to the leak, however, his claims were allegedly dismissed by director of information security Mike Gustavison.
“Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text,” Krebs wrote on April 2.
Panera released a statement shortly after the report downplaying their lack of security. Company officials claim less than 10,000 customers were affected by the leak. Krebs immediately took to Twitter to challenge Panera’s claim and reveal that the chain’s effort to fix the problem still left millions of customers on their catering registry exposed.
Coincidentally, Gustavison previously worked for Equifax as their chief of security operations from 2009 to 2013. That company was also involved in a massive data breach scandal last year after Equifax revealed that over 143 million people had their personal information hacked.
“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera’s information officer John Meister told Reuters.