Hacking away at security
Margaret Waage, BA, MS
Freelance Journalist | Content Producer | Social Media
Panera Bread’s online ordering portal was compromised, the company acknowledged April 2. The popular fast-casual bakery and cafe eatery chain with 59 locations in Georgia hit close to my home, but probably close to yours as well.
The fast-casual chain ordering website caused customer information such as names, email address, birthdays and the last four digits of payment cards to be leaked for those with accounts with panerabread.com reported Krebs on Security, a cyber-security news blog run by journalist Brian Krebs. Loyalty card numbers were leaked as well; these are attached to prepaid accounts, which can be used by anyone with the number.
Information on which states had customer data involved in the security lapse has not been reported.
Security researcher Dylan Houlihan reported the flaw to Panera in August 2017 at which time Mike Gustavison, Panera’s Director of Information Security, acknowledged the company was working on a resolution after initially dismissing the report as likely a scam. It appears now, no fixes were made to the site.
Panera’s Chief Information Officer John Meister told Reuters, “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.” The panerabread.com site went offline after being notified by Krebs on Security.
Kreb estimated exposed records were likely higher, as much as 37 million if Panera’s commercial division which serves catering companies are factored in.
Customers of Panera Bread’s website and loyalty card users should change passwords for the site and any other online service that uses the same combination of username and password.