Panera Bread’s 8-month long data breach affects millions

Dive Brief:

Panera Bread’s website, panerabread.com, leaked millions of customer records for at least eight months, reported Brian Krebs in his KrebsOnSecurity.com blog.
The records included names, email and physical addresses, birthdays, loyalty card numbers and the last four digits of the customers’ credit card numbers. The breach may have affected over 37 million customer records.
Krebs said the data was available in plain text from Panera’s website until the site was shut down yesterday. Apparently this included records on any customer with an account to order food online via panerabread.com.

Dive Insight:

Cybersecurity specialists continue to play whack-a-mole with data breaches, and another wave has hit retail. News of the prolonged exposure of customer data on Panera’s site follows news that the attacks suffered by the point-of-sale systems at some Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores last year led to the theft of about 5 million credit and debit card numbers. That breach of the three Hudson’s Bay Co. retail brands was said to be the biggest and most damaging in retail.

Another breach revealed this week hit about 150 million accounts of Under Armour’s MyFitnessPal app. Under Armour uses the food and nutrition app to promote its own ecommerce sales. Although MyFitnessPal does not require payment information, affected data may include usernames, email addresses and hashed passwords.

The Panera breach was discovered by security researcher Dylan Houlihan, who initially told Panera about customer data leaking from its website in August 2017, Krebs reported. It took some time for Houlihan to convince Mike Gustavison, Panera’s director of information security, about the seriousness of the breach, but it still wasn't addressed until this week. Notably, Gustavison formerly worked for Equifax until he joined Panera in 2013, but this was long before Equifax’s 2017 breach, which compromised about 145.5 million consumer records. A Panera representative downplayed the severity of the breach, telling Fox News it had touched fewer than 10,000 consumers.

In a written statement reported by Krebs, Panera said it had fixed the problem within two hours of being told of it by Krebs. However, Panera has not explained why it took eight months to address the problem. "Panera takes data security very seriously and this issue is resolved," the statement said. "Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved."

The Panera breach appears to be a bad one, but worse for the company may be its reluctance to address the problem promptly and its apparent evasiveness in public statements this week.