You can add Panera Bread to the list of companies that have left customer data exposed. Thanks to security researcher Dylan Houlihan, KrebsOnSecurity discovered that Panera Bread apparently left millions of customer sign-up records (around 37 million) in plain text on its website. These records include email addresses, phone numbers, loyalty account numbers and home addresses. Thankfully, there was no payment information, but it would have been very easy for eavesdroppers to harvest the information and use it for identity fraud or spam campaigns.
To make matters worse, it seems that Panera Bread wasn’t too responsive to solve the problem either. Houlihan notified the company about the problem back in August 2017 and got a response from the team that they are “working on a resolution,” but apparently didn’t take down the information until KrebsOnSecurity got involved, twice.
In a statement, Panera Bread said they’re still investigating the vulnerability but their investigation so far shows that there was “no evidence” of either payment info or anyone accessing a “large number” of accounts. This is a huge problem because it goes to show again that companies have failed to encrypt the data or abide by basic security policies.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site
— briankrebs (@briankrebs) April 2, 2018