Panera Bread data breach exposes customer records

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

Panera Bread’s website has leaked millions of customer records KrebsOnSecurity reports.

The data made available included names, emails, physical addresses, birthdays, and the last four digits of the customer’s credit card number for at least 8 months before it was made offline earlier today.

Fox News reports that Panera Bread on Monday said it has resolved the security flaw on its website that exposed the data, but denied the data breach exposed a “large number of records,” despite KrebsOnSecurity’s report that the vulnerability may have leaked the personal data of millions of customers.

The website’s vulnerability, which appears to have first surfaced publicly via an anonymous PasteBin coding post on Monday, purportedly allowed easy access to customer names, email addresses, phone numbers and the last four digits of saved credit card numbers. Panera Bread confirmed the breach on Monday and said the “issue is resolved” without evidence of widespread customer exposure.

“Panera takes data security very seriously, and this issue is resolved,” Panera Bread Chief Information Officer John Meister said in a statement to FOX Business. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.  Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Meister added: “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

The data was available in plain text, and it appeared to include any customer who signed up for an account to order food online.


Brian Krebs, an independent investigative journalist who authors the “Krebs on Security” cybersecurity blog, reported that Panera was first alerted to the breach in August, eight months before it became public knowledge. Krebs says that indexed data from Panera’s website indicates that more than 7 million customers may be affected.

Panera representatives did not clarify what kind of private data was exposed. The chain operates more than 2,000 stores in the U.S.

The data breach comes days after Under Armour said a flaw in its MyFitnessPal app exposed the data of roughly 150 million users.


Notice: you are using an outdated browser. Microsoft does not recommend using IE as your default browser. Some features on this website, like video and images, might not work properly. For the best experience, please upgrade your browser.