Panera Bread knows how to make a delicious sandwich, that is something we can confidentially say (The Italian is this editor’s go-to item on the menu). Unfortunately, it might not be as good with security. Security researcher Brian Krebs with KrebsOnSecurity says Panera Bread’s website leaked millions of customer records containing a plethora of personal information, with the data made available in plain text. Yikes!
The security breach compromised customer records containing names, email addresses, physical addresses, birthdays, and the last four digits of credit card numbers. That is the kind of information that can make identify theft a little easier, though fortunately no social security numbers were compromised (it would have been silly for Panera Bread to collect such information in the first place).
Panera Bread has more than 2,100 retail locations in the United States. The food chain allows customers to order items online at its website for pickup in one of its stores, or for delivery. That is all fine and dandy, but storing the information in plain text is a major no-no.
The breach was first spotted by Dylan Houlihan, a security researchers who notified Panera Bread about the customer data leak eight months ago. Mike Gustavison, Panera’s director of information security, initially thought it was a scam and dismissed the tip. However, the information was validated a week later, prompting Panera Bread to work on a fix.
“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Dylan Houlihan told KrebsOnSecurity.
Even worse is that the records can be indexed and crawled by automated tools relatively easily. And even though Panera Bread was aware of the issue since August of last year, “the flaw never disappeared,” Houlihan said, adding that “checked on it every month or so because I was pissed.”
Panera Bread’s website was briefly taken offline yesterday after being contacted by KrebsOnSecurity. It appears that its customer records are no longer reachable. Even so, if you’ve registered and made a purchase on Panera Bread’s website, keep an eye on your credit card statements for any foul play.
Thumbnail and Top Image Source: Flickr via Mike Mozart