Panera Bread has suffered a major data breach, affecting potentially 7 million customers. The data is said to include names, email addresses, and credit card information. What’s worse – the data could have been crawled and indexed with simple automated tools.
This wasn’t news to those at the top at Panera Bread. Last summer, a security researcher told Panera Bread that their website was exposing this sensitive data. When Panera was made aware of the flaw, they dismissed it as a scam or sales pitch. After months of the flaw continuing to be exposed and unpatched, the security researcher decided to go public with evidence of the vulnerability.
“I am not exaggerating when I say you have a massive sensitive data exposure issue,” he said, “and I’d simply like you to be made aware of it so you can quickly resolve it.” -researcher Dylan Houlihan (in response to Panera Bread maintaining that he was giving a sales pitch).
Panera Bread is now downplaying the security of the breach, telling Fox News they have secured the breach and only ten thousand records were exposed. Krebs on Security is not buying it, especially considering Panera’s commercial division which serves countless catering companies which may run on the same software.
As the disclosure shitshow that describes @panerabread response to their breach indicates, most companies respond to breach notifications like they would a stranger telling them they have a cold sore on their lip. If you get no love, please ping krebsonsecurity @ gmail dot com
— briankrebs (@briankrebs) April 3, 2018
As of this writing, Panera has not made any statement on their website (it was recently taken down) nor on Twitter about the breach.
Photo Credit: Mike Mozart