Risk Report: Panera Bread

Hackers Won’t Ignore a Security Breach, Why Should You


Recently, Krebs On Security reported 37 million Panera Bread customers had their private information exposed for at least eight months starting in late 2017. Panera was forced to address the fact their website was leaking customer information, requiring the organization to take down its online ordering portal--a digital sales point responsible for 26% of their annual sales revenue.

Panera had been alerted of their security vulnerability eight months before news of the breach broke.

According to Krebs, Panera received a third-party tip in August 2017 from a security researcher, Dylan Houlihan, that their customer facing website was unsecure. The message sent to notify Panera included photographic evidence that their website was leaking customers’ personal information.

As a result of the vulnerability, hackers had unlimited access to data from customers who signed up for loyalty programs and who entered private information to order food online. Millions of user names, emails, addresses, phone numbers, D.O.B’s, partial credit card numbers and more were completely unprotected for at least eight months.

Despite the evidence, and Houlihan’s consistent follow up, Panera Bread’s Information Security Director, Mike Gustavison, (Former information security director of Equifax) told Houlihan that the company was working on a resolution, while they had actually elected not to investigate the vulnerabilities documented by Houlihan.

After eight months of inaction from Panera, the leak went viral when Houlihan made his findings public on krebsonsecurity.com. Panera may face additional penalties for failing to address a known vulnerability.

Work with MCPc’s information security experts to design security programs that protect your employees, your data, and make your organization resilient in the event of a breach.

Protect the path of least resistance into your network with Fortress: Secure Endpoint Management. MCPc’s Fortress suite of managed services identify cyber threats, monitor, patch, and backup the devices used to run your business, 24x7x365.