PaneraBread.com Website Customer Data Exposed – Patched Months Later!
Panera Bread’s consumer website, PaneraBread.com, exposed the data of millions of customers. The data leak was first noticed last August, but not handled until this week. The exposed data is that of Panera customers who have PaneraBread.com web accounts for ordering food online.
The term exposed data means that ant website visitor could see the customer data of all people who ordered from the PaneraBread.com website. No login was required, not that it would matter! The customer information was plainly visible online as a text dump. The exposed (or leaked) Panera Bread customer data includes customer names, loyalty program ID numbers, email addresses, street addresses, phone numbers, birthdays, and the last four digits of customers’ credit card numbers.
The exposed data issue was first reported to Mike Gustavison, Panera’s Director of Information Security in August 2017. The online data was first noticed by security researcher Dylan Houlihan. Houlihan who notified Gustavison in an email. However, the exposed data was not secured until this week when Brian Kreb wrote about it in a blog post.
No complete credit numbers were exposed, meaning anyone scraping the data could not make fraudulent charges. However, the Panera loyalty account numbers could be used by hackers to spend prepaid funds or loyalty rewards. Any of the exposed customer information could be used as part of a social engineering cyber attack.
The security situation is not a website hack, but rather a web programming issue. Although Panera stated that the data lack is confined to about 10,000 customer records, Brian Kreb of KrebsSecurity reports that the leak involves over 37 million customer records.
The website was taken offline briefly to solve the data issue. Panera Bread fixed the exposed data from requiring a login.
About Panera Bread
The Panera Bread Company is based in Sunset Hills, Missouri. The company operates over 2,100 retail locations bakery-café casual restaurants in the United States and Canada. Customers order breads, soups, desserts, and salads ins-tores and online. Mike Gustavison, Panera’s Director of Information was formerly the senior director of security operations at Equifax. The credit data giant, was recently hacked, exposing the credit profiles of millions of customers in 2017.
Former Washington Post writer Brian Krebs writes about may topics on krebsonsecurity.com including breaking news about security breaches that haven’t yet been reported publicly.
The leaky website, panerabread.com, was down at the time of this writing!
Michelle writes about cyber security, data privacy focusing on social media privacy as well as how to protect your IoT devices. She has worked in internet technology for over 20 years and owns METRONY, LLC. Michelle earned a B.S. in Engineering from Rensselaer Polytechnic Institute. Michelle published a guide to Cyber Security for Business Travelers
