U.S. bakery chain Panera Bread has leaked millions of online consumer records, including birthdays and partial credit card numbers, for at least eight months, a computer security blog says.
Names, email addresses, physical addresses, birthdays and the last four digits of the consumers’ credit card numbers for up to 37 million Panera Bread customers were available in plain text on the company’s website, Brian Krebs reported on his Krebs on Security blog on Monday.
A Panera Bread spokesman told Fox Business on Monday that it has resolved the security flaw but said it affected fewer than 10,000 customers.
“Panera takes data security very seriously, and this issue is resolved,” Panera Bread chief information officer John Meister said in a statement to Fox Business. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
Security researcher Dylan Houlihan wrote on Medium that he first reported the leak to Panera Bread in August. A message thread posted by Houlihan includes responses from the company indicating it was working to fix the problem. However, when the issue persisted months later, Houlihan contacted the Krebs on Security blog with the information.
“Now, after I was reassured this would be fixed, I checked on this vulnerability every month or so because my own data is in there, which means I’m personally affected by it,” Houlihan wrote. “So I personally know for a fact that it was never patched in the interim.”
The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com, KrebsOnSecurity reported.
Founded in 1987 in a merger between a cookie shop and a bakery, Panera Bakery operates more than 2,000 stores across the United States.