In recent promotions, the Panera Bread restaurant chain has advertised having “food worth sharing.”
Apparently, food is not the only thing Panera, which has more than 2,000 restaurants in the United States, has been sharing.
Independent investigative journalist Brian Krebs of the Krebs on Security blog reported Monday that a Panera security breach exposed the personal records of as many as 37 million customers who signed up to order food online and that the information appears to have been available for at least eight months.
Panera Bread chief information officer John Meister disputed the numbers, according to Fox Business, saying fewer than 10,000 customers were affected by the breach.
The company’s website is not available as of Wednesday night. Those visiting the Panera official website received an apology message and note that the site is down for “essential maintenance.”
Dylan Houlihan, a security researcher, brought the flaw, which leaves personal information including names, email addresses, physical addresses, birthdays, and the last four digits of credit card numbers accessible, to Panera officials’ attention on August 2, 2017, according to Krebs on Security.
Initially, the company’s director of information security, Mike Gustavson, did not appear to take Houlihan’s concerns seriously, according to an email exchange Houlihan provided to Krebs.
After about a week, Gustavson changed his tune, thanking Houlihan and telling him action would be taken to address the problem.
Houlihan kept checking, and when nothing had been done eight months later, he brought his concerns to Krebs, who has established a reputation for investigative reporting on cybersecurity issues.
The Panera Bread leak is the latest in a series of data leaks by various companies that have exposed customers’ private information to hackers.
A data breach at Equifax exposed the data of 147.9 million people.
In September 2016, Yahoo announced that the names of 500 million users, plus their email addresses, birthdays, and telephone numbers, had been compromised two years earlier due to a security breach. That revelation came as the company was working on selling itself to Verizon.
As big as a 500 million customer security breach was, it was nothing compared to Yahoo’s revelation months later that the passwords of 1 billion of its users had been compromised in 2013.
Eventually, the company revised even that estimate, acknowledging that all 3 billion Yahoo users’ passwords had been compromised.
Other companies that have exposed their customers’ personal information through security breaches include eBay, Target, JP Morgan Chase, Uber, Sony Playstation Network, Anthem, Home Depot, and Adobe.