A security expert claims that a Panera Bread security breach potentially exposed millions of customers’ sensitive personal data — including partial credit card information — and that the restaurant chain was warned about the issue in August.
Panera Bread said the security issue was resolved this week and that it would have only impacted 10,000 customers or fewer.
“Panera takes data security very seriously and this issue is resolved,” the company said in a statement.
“Following reports today [Monday] of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.”
While Panera Bread said the issue had been fixed this week, the company did not respond to NRN’s request for comment on why action hadn’t been taken in August when the flaws were first brought it to the chain’s attention.
Cyber Security site KrebsonSecurity reported on the breach on Monday, igniting a controversy over the chain’s handling of the breach and how many customers were impacted.
Site owner Brian Krebs, a former Washington Post reporter, was tipped off to this story by security researcher Dylan Houlihan.
Houlihan said he had stumbled onto a security problem on Panera Bread’s website and brought it to the chain’s attention last summer. The security flaws revealed the full names, addresses, emails and last four digits of customer credit card numbers, Houlihan said. When St. Louis-based fast-casual leader didn’t fix the problem for months, Houlihan said, he went to the media.
On Monday, Krebs warned that the “data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com.” He claimed the potential number of customer records exposed to exceed 37 million, not 10,000, as Panera Bread said.
In a Monday blog post, Houlihan provided his account of how he attempted to warn Panera of the security breach.
He said he contacted Mike Gustavison, Panera’s director of information security. He told the executive in an email that a security vulnerability exposed customers’ full names, addresses, emails and last four digits of their credit card numbers.
Houlihan said Gustavison didn’t appear to take him seriously and considered his offer to give the chain information on the matter appeared to be a “sales tactic.” Ultimately, Gustavison ended the email exchanges in August by telling Houlihan that Panera is “working on a resolution.”
The exchange came about a month after JAB Holding Co. completed its $7.5 billion purchase of Panera Bread Co.
According to a LinkedIn profile, Gustavison previously worked at the credit reporting agency Equifax as senior director of security operations from 2009 to 2013. In 2017, Equifax exposed the personal data of 143 million customers, according to the Federal Trade Commission.
New York-based e-commerce fraud prevention firm Forter says its research shows that QSR companies are especially vulnerable to fraud attacks. The company found that food and beverage fraud specifically climbed 117 percent in 2017.
It is continuing to rise “as criminals realize food websites are lucrative targets that house valuable consumer data,” CEO Michael Reitblat said.
Contact Nancy Luna at [email protected]
Follow her on Twitter @FastFoodMaven