Panera Bread Leaked Customer Data Right on its Website for Months Despite Warnings

Security experts have alleged that U.S bakery-cafe chain Panera Bread had “millions” of customers’ personal information available and searchable on its site for at least eight months, leaving them vulnerable to identity theft.

A plain-text page on Panera’s websit.e revealed the full names, email addresses, physical addresses, phone numbers, date of birth, dietary preferences, and last four digits of credit cards of customers who signed up for the company’s delivery service, the researchers said.

The data leak was discovered last year by Dylan Houlihan, who on his LinkedIn page describes himself as the managing principal of New York-based Breaking Bits, a “data mining, reverse engineering and security consulting practice.”

In a just-published Medium post with images of old email exchanges, Houlihan stated that he reached out via email, Twitter, and LinkedIn to Panera Bread’s director of information security, Mike Gustavison, upon discovering the breach, but received no reply. In early August, after Houlihan successfully reached him through an introduction, Gustavison said he hadn’t responded to the earlier messages because they were “very suspicious and appeared scam in nature,” according to Houlihan, who added Gustavison then told him that the security team was “working on a resolution.”

Months passed without any fix, according to Houlihan.

“I have also submitted reports like this to companies, in bug bounties and as a courtesy with no expectation of a reward,” wrote Houlihan. “I have been on both sides of the table. The response I received is not appropriate whatsoever.”

Houlihan then contacted Brian Krebs, a security writer and former Washington Post reporter whose blog KrebsOnSecurity is widely read in the industry. A subsequent post by Krebs brought more attention to the problem.

Krebs initially placed the number of customers potentially affected by the leak at “higher than 7 million,” and later pegged it at 37 million. In statements to Fox Business after Krebs published his piece, Panera’s chief information officer John Meister called the issue “resolved” and said that the leaks affected “fewer than 10,000 consumers.”

Krebs and Houlihan, however, noted the data remained public and searchable on the company’s website. Now, after continued harping on Twitter by Krebs and Houlani’s Medium post, Panera’s URLs lead to an “access denied” page.

Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? https://t.co/AJeiq6Dfd0

— briankrebs (@briankrebs) April 2, 2018

Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site

— briankrebs (@briankrebs) April 2, 2018

News of Panera’s data leak follows a security breach that exposed the email addresses, user names, and passwords of 150 million users of MyFitnessPal, a fitness-tracking app owned by Under Armour. On March 29 the clothing company said it began telling affected users to change their passwords days after it first discovered the breach. Last year the credit agency Equifax, meanwhile, revealed that hackers had stolen some of its customers’ personal data, affecting nearly 140 million people in total.

Houlihan wrote that Gustavison, the information security director at Panera he corresponded with in August, was senior director of security operations at Equifax from 2009 to 2013. His departure from Equifax came before the credit agency’s breach, “but after all of the foregoing, does this seem quite so surprising?” Houlihan wrote.

Quartz has reached out to Gustavison and Panera (as well as Krebs and Houlihan) for comments and will update this piece as merited.