Skip to main content

Panera Bread’s data leak might affect more than 37 million customers

It’s getting to the point where no matter what kind of business you conduct, there is a very real risk of seeing your personal information leaked to nefarious parties. So far, hackers have gained access to banking, credit reporting, health insurance, email, and seemingly just about every other modern circumstance where your data is saved in a database. The latest: That soup and salad you ordered online at Panera Bread might have cost you some peace of mind.

According to KrebsOnSecurity, the food chain’s website was leaking information for a minimum of eight months, specifically the names, email addresses, physical addresses, birthdays, and last four credit card numbers for customers who placed online orders. The company has more than 2,100 restaurants throughout the U.S. and Canada, and that amounts to a huge number of potentially affected accounts.

The leak was first brought to Panera’s attention in August 2, 2017, by security researcher Dylan Houlihan. For whatever reason, the system was only taken offline on Tuesday, April 3, leaving a full eight months during which anyone with the appropriate knowledge could have scraped off the information and used it in a variety of potentially damaging ways. As KrebsOnSecurity indicates, the database’s format is such that customers could be easily searched and identified using any of the data.

As Houlihan put it, “Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you would like, up to and including the entire database.” In Houlihan’s opinion, Panera did nothing to address the issue during the entire eight-month period.

The number of customers affected by the breach is uncertain. While Panera has stated that only 10,000 accounts were compromised and that the company requiring a valid account login to access the information would mitigate the problem, further information indicates that the number of affected customers could number in the millions. In fact, greater than 37 million customers records could be involved.

As always, if you are potentially affected by this data breach, you will want to keep a close eye on all of your credit, banking, and other activity. If you see anything suspicious, then contact the relevant companies immediately. You might also consider investing in an identity theft protection service that can help you keep an eye out for any privacy concerns.

Editors' Recommendations