Apparently, Panera Bread has been ignoring a data breach that may affect millions of customers who placed online orders.
The vendor’s website has been accidentally leaking full names, email addresses, phone numbers, home addresses and last four digits of credit card numbers, according to security researcher Dylan Houlihan.
Houlihan claims he repeatedly warned the company about the breach back in August 2017 but the vendor did nothing. It wasn’t until Monday, when the media began to expose the whole incident, that the company patched the problem.
“Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” Houlihan wrote in a blog post about the breach.
The vulnerability itself involves an API in Panera’s website that can let developers pull customer information. But according to Houlihan, that same API is publicly available and requires no password to access. As a result, anyone could access the website’s customer database, and potentially mine the sensitive details.
Houlihan’s blog post goes on to show email exchanges with Panera’s information security director Mike Gustavison in early August. “Now, after I was reassured this would be fixed, I checked on this vulnerability every month or so because my own data is in there,” Houlihan added. “So I personally know for a fact that it was never patched in the interim.”
On Monday, after security reporter Brian Krebs reported on the breach, Panera fixed the problem. But the vendor appears to be downplaying the severity of the incident, telling Fox Business that “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue.”
However, Krebs and Houlihan estimate the number of affected consumers may easily cross into the millions. That’s because the vulnerable API in the Panera website stored customer IDs that reach over 7 million. If that wasn’t enough, Krebs noticed the problem extended to another vulnerable API for Panera’s online catering business. “At last count, the number of customer records exposed in this breach appears to exceed 37 million,” Krebs wrote.
Panera did not immediately respond to a request for comment. It’s unclear if anyone with nefarious intent exploited the website vulnerabilities.