Panera Bread exposed millions of customer records because LOL security
Here's your daily reminder there's no such thing as true security.
Panera Bread, the beloved St. Louis-based bakery chain, is the latest company to show how much it doesn't care about protecting customer data.
The food chain's website reportedly left its customers' personal data completely exposed for anyone to scoop up.
Data including "names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number" were leaked online according to cybersecurity expert Brian Krebs, who helped publicize the news.
Security professional Dylan Houlihan first discovered Panera Bread's website was leaking customer data (including his own) in easily readable plain text in August 2017.
After a series of emails and false accusations claiming he was a scammer or was interested in a bounty, Mike Gustavison, Panera Bread’s Information Security Director, finally responded and said they were working on a resolution.
Eight months roll by — all the while, Houlihan's checking every month to see if the security hole has been fixed — and nothing happens. Houlihan decides enough is enough and forces Panera Bread's hand by getting Krebs to publicize the flaw in hopes of forcing the company to expedite a fix.
It's believed millions of users' data could have been exposed. Panera Bread, however, has downplayed the severity of the data leak, telling Fox News "only 10,000 customer records were exposed."
Panera Bread then said the company had fixed the security flaw, but Krebs discovered it wasn't in fact patched:
Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).
@onsecurity now believes up to 37 million customer records may have been affected.
At the time of publishing, Panera Bread's website remains down.
We've reached out to Panera Bread for comment on why it ignored Houlihan's warnings and failed to fix the flaw for eight months. We will update this article if and when we hear back.
Topics Cybersecurity
Raymond Wong is Mashable's Senior Tech Correspondent. He reviews gadgets and tech toys and analyzes the tech industry. Raymond's also a bit of a camera geek, gamer, and fine chocolate lover. Before arriving at Mashable, he was the Deputy Editor of NBC Universal's tech publication DVICE. His writing has appeared on G4TV, BGR, Yahoo and Ubergizmo, to name a few. You can follow Raymond on Twitter @raywongy or Instagram @sourlemons.
