Restaurant chain Panera Bread is under fire for ignoring a website vulnerability that exposed data of as many as 37 million account holders. To make matters worse, Panera is yet to release official incident information to the customers.

What happened and when

According to cybersecurity journalist Brian Krebs, a security researcher had contacted Panera Bread on August 2nd, 2017, informing the company of a website vulnerability that exposed personal account information to anyone visiting a database query web page. After several communication attempts, the researcher was informed that Panera’s security team was working on a  resolution. However, after 8 months, the vulnerability was still not patched, and the data was still exposed.

It was not until Brian Krebs reported on this issue on April 2nd, 2018, that Panera took action and placed the vulnerable page behind a login, preventing public access to the data. However, latest security research found that this “fix” still allows anyone with a valid Panera Bread online account to access the data after logging on.

Following the Krebs report, Panera Bread responded  to an inquiry from Fox News, confirming the incident but downplaying its magnitude and severity.

What data was affected

Panera’s website vulnerability exposed in plain text the following personal account information: customer names, account usernames, email addresses, physical addresses, birthdays, Panera loyalty rewards number and the last four digits of the customer’s credit card number. The breach also exposed commercial and catering account data.

Next steps and safeguards

Until the official customer communication from Panera Bread arrives, users of the restaurant’s online ordering system can take a precaution by changing their account password.

Wondering if your data was leaked in one of the prior breaches? Learn how to check using one of the free online tools.