A security flaw in Panera Bread’s website has left “millions” of customers’ information vulnerable to “anyone who knew where to look” for at least eight months, according to CNET.
The exposed data includes customer names, email addresses, birthdays, the last four digits of payment cards, phone numbers, and physical addresses, reports cybersecurity writer Brian Krebs. Panera loyalty card numbers, which could potentially be abused by scammers, were also exposed.
“The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com,” Krebs said.
Another security researcher notified Panera of the website vulnerability in August 2017, but the restaurant chain didn’t address the issue until Monday. Panera confirmed the problem, saying it affected only 10,000 of its customers.
“Panera takes data security very seriously and this issue is resolved,” said John Meister, Panera’s chief information officer. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
But Krebs writes the company has only “fixed” the vulnerability “by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records.” The data breach may also affect customers of other catering companies that fall under Panera’s commercial division.
“At last count, the number of customer records exposed in this breach appears to exceed 37 million,” Krebs said.