Panerabread data breach, millions of customer info was leaked

Internet security company KrebsOnSecurity pointed out in an article published on Monday that Panerabread[.]com, the US’s largest bread chain Panerabread’s website, disclosed millions of customer records, including names, birthdays, e-mail addresses, home addresses, and credit card numbers four digits.

KrebsOnSecurity also stated that after they had contacted the company, the site had been offline earlier on Monday. By this time, the data leakage incident has lasted for at least eight months.

According to relevant data, Panerabread, headquartered in St. Louis, USA, has been operating for more than 30 years since its establishment. It has more than 2,100 stores in the United States and Canada, of which self-operated stores and franchise stores each account for about half, and annual sales have reached billions of dollars.

Panerabread allows customers to order foods online by registering with panerabread[.]com to broaden their sales channels. After the customer places orders through the website, they can choose to have the Panerabread staff deliver or go to the store to collect the goods.

The problem is that here, security researcher Dylan Houlihan found that the plain text data from the Panerabread website appeared to contain detailed personal data of all registered customers.

KrebsOnSecurity learned of the incident after contacting Houlihan on Monday. According to Houlihan, as early as August 2, 2017, he had notified Panerabread of a discovery.

Houlihan showed KrebsOnSecurity a screenshot of his emails containing his and Infoearabread’s information security director Mike Gustavison. According to the screenshots, Gustavison initially suspected that Houlihan’s report might be a scam. However, the information shown in the second half of the screenshot shows that the company only verified Houlihan’s survey results a week later and stated that the restoration was in progress.

KrebsOnSecurity stated that it is unclear how many customers record the company’s website exposed, but the incremental customer data indexed by the site indicates that this number may be higher than 7 million. In addition, it is currently unclear whether the Panerabread customer’s account password will also be affected.

In a written statement issued, Panerabread stated that it had resolved the issue within two hours after receiving notification from KrebsOnSecurity. However, Panerabread did not explain why it took eight months to solve the problem after initially verifying Houlihan’s findings.

“Panera takes data security very seriously and this issue is resolved.” The statement reads, “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.  Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Source, Image: krebsonsecurity