Online security experts allege that Panera Bread the bakery-café chain based in the U.S. had millions of its customers’ personal data available as well as searchable on its website for a minimum of eight months, leaving that data open to be stolen and used for identity theft.
A simple text page on the website of Panera revealed first and last names, physical addresses, email addresses, date of birth, telephone numbers, and the final four digits of customers’ credit and debit card numbers. This list was from customers who had signed up for delivery service, said researchers.
The leak in data was found in 2017 by Dylan Houlihan. On his LinkedIn page, Houlihan calls himself the managing principle of Break Bits that is based in New York and a data mining security consulting and reverse engineering practice.
Houlihan stated in a post on Medium.com that was just published that through email he had reached out as well as via LinkedIn and Twitter, to the director security at Panera Bread, but did not receive any reply.
Last August, Houlihan finally was introduced to the director of security with Panera and was told that Panera was working on a resolution. However, Houlihan said that months passed and no fix.
Houlihan then made contact with Brian Krebs, a former reporter with the Washington Post and a security writer who has a well-respected security blog in the industry known as KrebsOnSecurity. A Krebs post that followed brought additional attention to Panera’s situation.
Krebs at first placed the total number of Panera customers possibly affected at over seven million and then moved it up as high as 37 million.
In statements released after the post by Krebs was made, The CIO at Panera John Meister said the issue had been resolved and that the leaks had affected less than 10,000 customers.
However, both Houlihan and Krebs noted that the data in question remained searchable and public on Panera’s website. That eventually changed as the URLs of Panera now lead to a page that says, “access denied.”
News of the data leak by Panera follows a data breach that exposed user names, email addresses and passwords of more than 150 million users of fitness tracking app MyFitnessPal that Under Armour owns.
The sports apparel company said last week that it started telling its users that were affected to change passwords just days after the breach had been discovered.