Add another big-name brand to the list of those who've left customer data exposed online. Thanks to security researcher Dylan Houlihan, KrebsOnSecurity has discovered that Panera Bread left millions of customer sign-up records (possibly 37 million) in plain text on its website, including email addresses, home addresses, phone numbers and loyalty account numbers. There was no payment info, thankfully, but it would have been patently easy for evildoers to harvest that information and use it as part of identity fraud or spam campaigns.
Crucially, Panera Bread didn't appear to be responsive to the problem. Houlihan notified the company about the problem in August 2017 and got a response promising that its team was "working on a resolution," but it didn't take down the info until KrebsOnSecurity got involved -- twice. In a statement, Panera Bread said it was still investigating the vulnerability but indicated that there was "no evidence" of either payment info or anyone accessing a "large number" of the accounts.
As such, you're probably not at risk if you signed up for a Panera Bread website account. However, this underscores a recurring problem with internet security: numerous companies have failed to encrypt data or otherwise abide by basic security policies. Although there's no guarantee that locking down data will prevent breaches, it beats welcoming thieves with open arms.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site— briankrebs (@briankrebs) April 2, 2018