Panera Bread says it fixed website security flaw exposing customer records

Adjust Comment Print

Online security experts allege that Panera Bread the bakery-café chain based in the USA had millions of its customers' personal data available as well as searchable on its website for a minimum of eight months, leaving that data open to be stolen and used for identity theft. Thankfully, there was no payment information, but it would have been very easy for eavesdroppers to harvest the information and use it for identity fraud or spam campaigns.

Brian Krebs, a security writer, wrote that researcher Dylan Houlihan identified and notified the fast-casual bakery about the vulnerability as long as August 2, 2017, but Krebs added it wasn't until Monday that they took any action on what was initially believed to be 7 million exposed records.

The all-your-can-eat menu on its website offered online account holders' full names, home addresses, email addresses, dietary preferences, usernames, phone numbers, birthdays and the trailing four digits of saved credit cards to anyone able to construct a simple web query.

KrebsOnSecurity stated the site was still leaking data as of this week.

More news: Parents Warned: Teen 'Condom Challenge' Is Not Safe
More news: Canucks' Henrik and Daniel Sedin Announce This Season Will Be Their Last
More news: At least 10 killed as hotel building collapses in Indore

"No, the flaw never disappeared", Houlian told Krebs.

Panera Bread knows how to make a delicious sandwich, that is something we can confidentially say (The Italian is this editor's go-to item on the menu). KrebsOnSecurity said it contacted Panera on Monday and the website was taken down. Krebs noticed months later that the customer data was still accessible, something that Houlihan confirmed.

Krebs and Houlihan, however, noted the data remained public and searchable on the company's website.

"Following reports today of a potential problem on our website, we suspended the functionality to fix the issue", Meister continued. KrebsOnSecurity says the number of accounts affected may be as high as 37 million, despite Panera disputing that only 10,000 records were exposed.