The personal information of millions of Panera Bread customers was reportedly left exposed online for at least eight months.
According to reports, the popular US bakery-café chain, which operates over 2,100 locations, was initially alerted of the data leak back in August 2017.
As reported by security journalist Brian Krebs, researcher Dylan Houlihan contacted the firm and was told it was “working on a resolution.” However, the issue remained unfixed.
The leaked records – exposed in plain text – appeared to belong to customers who had signed up for an account to place an order online at panerabread.com.
The data included customer names, email addresses, physical addresses, dates of birth and loyalty card numbers, as well as the last four digits of credit card numbers.
Panera Bread acknowledged the breach on Monday, telling Fox Business that 10,000 customer records were impacted.
The St. Louis-based company released the following statement:
“Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
Meanwhile, Krebs claims Panera’s remediation continued to leave the data exposed for some time afterward.
“The vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appear to exceed 37 million,” wrote Krebs.
Tim Erlin, VP of product management and strategy at Tripwire, adds that the incident serves as a reminder that “security is often as much about response as prevention.”
“Organizations that collect, store and transmit customer data need to have plans in place to deal with reported vulnerabilities. The time to plan is before an incident occurs, not during,” said Erlin.