Business & Tech
Panera Website Flaw Leaked Customer Info To Anyone On Web: Report
Panera Bread reportedly did nothing to address the issue after first being notified eight months ago.
The Panera Bread website apparently leaked customer information to anyone on the web for at least eight months after first being notified of the flaw, according to a report in Krebs on Security. The information leaked from the website included names, email addresses, birthdays and the last four digits of payment cards of customers who had signed up to order food online.
Krebs on Security was notified of the flaw by security researcher Dylan Houlihan, who says he brought the issue to Panera's attention in August 2017. Houlihan posted an email exchange he had with Mike Gustavison, Panera's director of information security. Gustavison first appeared to believe Houlihan's email was spam and about a week later responded that Panera was working on a resolution, according to the exchange posted by Houlihan.
According to Krebs on Security, eight months after the flaw was first reported to Panera, it had still not been fixed. According to the report, customer data could also be easily indexed and crawled by automated accounts.
Find out what's happening in St. Louisfor free with the latest updates from Patch.
The flaw also exposed a customer's Panera loyalty card number, according to Krebs.
"Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved," Meister said in a statement sent to CNBC. "Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps."
Find out what's happening in St. Louisfor free with the latest updates from Patch.
Panera suspended the website to repair the issue after being notified by Krebs on Security. However, as Krebs later noted, the fix that Panera instituted still allowed people who logged into panerabread.com using a valid account to view customer information as opposed to just anyone on the web.
According to Krebs' estimate, more than 37 million customer records were exposed. The Panera Bread website was offline on late Tuesday afternoon.
Panera Bread did not immediately respond to a request for comment.
Photo by Juli Hansen/Shutterstock
Get more local news delivered straight to your inbox. Sign up for free Patch newsletters and alerts.
