Panera Bread's website involved in a data leak

On Monday, security expert Brian Krebs reported that PaneraBread.com, the online domain for the USA bakery and cafe chain, exposed customer records including names, email addresses, physical addresses, dates of birth, loyalty card numbers, and the last four digits of credit card numbers.

KrebsOnSecurity.com reported that the website had leaked names, addresses and the last four digits of credit card numbers until yesterday.

Customer information such as phone numbers, email addresses and physical addresses may have been made available through the company's website.

The breach was first spotted by Dylan Houlihan, a security researchers who notified Panera Bread about the customer data leak eight months ago.

Panera Bread has found itself in the hot seat after allegedly sitting on a security vulnerability for at least eight months and not taking action.

If you visit Panera Bread's website today, you won't find the usual collection of sandwiches, soups, salads, and sausage rolls.

"Now, after I was reassured this would be fixed, I checked on this vulnerability every month or so because my own data is in there, which means I'm personally affected by it", Houlihan wrote.

According to Quartz, the data leak was discovered past year by Dylan Houlihan, the managing principal of New York-based Breaking Bits, a "data mining, reverse engineering and security consulting practice".

KrebsOnSecurity stated the site was still leaking data as of this week. Eventually, the Panera executive said they were working to fix the problem.

Following the blog post, Panera denied the estimation from Krebs that millions of customer records might be at risk.

"The flaw never disappeared", Houlihan told KresbsOnSecurity.

@onsecurity now believes up to 37 million customer records may have been affected.

However, both Houlihan and Krebs noted that the data in question remained searchable and public on Panera's website.

A representative from Panera did not respond immediately to a request for comment from MONEY.

Reuters is reporting that Panera Bread is saying that the issue has been resolved.

  • Eleanor Harrison