Following the unfortunate trend of large cooperations apparently hit by security breaches like Equifax, My Fitness Pal, and Saks and Lord & Taylor, NBC News and other outlets are reporting today that according to a security expert, Panera Bread exposed the data of millions of its customers, including their “names, emails, addresses, birthdays and partial credit card numbers.”
The breach was reported yesterday by Brian Krebs, who describes himself in his Twitter bio as an “independent investigative journalist.” He was contacted by security researcher Dylan Houlihan, who noticed the breach and tried to contact Panera Bread about it months ago, receiving little response.
Houlihan outlined his communications with Panera in a Medium blog post titled, “No, Panera Bread Doesn’t Take Security Seriously.” He describes trying to alert the company to the problem basically offering up this information as an interested party (as a Panera customer, his own data was also in danger of being exposed), only to be basically dismissed.
Once Houlihan contacted Krebs, and Krebs made his findings of the breach public, Panera finally made a statement, after taking the website down a few times. In a statement sent to CNBC, Panera’s chief information officer John Meister said,
Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.
But Krebs kept checking the site, and saying that he could still access the leak, maintaining that the numbers of affected customers were much higher than the 10,000 or so that Meister mentioned.
The Panera website was down for a bit, hopefully because the company is taking a closer look at its security issues. Houlihan sums the situation up at the end of his Medium post: “Until we start holding companies more accountable for their public statements with respect to security, we will continue to see statements belying a dismissive indifference with PR speak… When Panera Bread says ‘We take security seriously,’ they mean ‘We didn’t take it seriously enough.’”