Panerabread.com is the website for the American chain of bakery-café fast food restaurants that goes by the same name. According to news reports, the website has leaked millions of customer records which include details like name, email and physical addresses, birthdays, and the last four digits of the customer’s credit card numbers. This data was available on their website for almost eight months before it was taken down.
Panera Bread has over 2,100 retail locations in US and Canada, and the company gives an option to customers to order food online. The data was displayed in plain text on the website, of those customers who signed up for an account to order food online through Panerabread.com.
This data breach was first discovered by Dylan Houlihan, who is the managing principal of New-York based Breaking Bits, a “data mining, reverse engineering and security consulting practice.” Houlihan stated that he first informed Panera about the breach on August 2, 2017. He tried to reach Panera’s director of information security, Gustavison, through email, Twitter, and LinkedIn. However, he didn’t receive any response from the company.
Eventually, when Houlihan was able to reach Gustavison through an introduction, he stated that he didn’t respond to Houlihan’s messages because he thought they were “very suspicious and appeared scam in nature,” and then stated that the security team was “working on a resolution.”
Months passed without any fix, according to Houlihan. “I have also submitted reports like this to companies, in bug bounties and as a courtesy with no expectation of a reward,” wrote Houlihan. “I have been on both sides of the table. The response I received is not appropriate whatsoever.”
Despite several attempts made by Houlihan to reprimand Panera about the data leak, it still existed. There was a series of email exchanges between the two parties. However, eight months down the line the data was available on their website. Finally, Houlihan connected with Brian Krebs, a security writer and former Washington Post reporter whose blog, KrebsOnSecurity is widely read in the industry.
Krebs published a piece about the data violation post; Panera issued a statement that they have taken care of the issue. However, the data was still available on their website. It took repeated social media posts from Krebs and Houlihan for the matter to be finally resolved.
Panera issued a written statement indicating that the problem had been fixed within two hours of being notified by KrebsOnSecurity. However, they did not explain why it took them eight months to take care of this issue.