Panerabread.com, the wesite for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months, reports Brian Krebs of KrebsOnSecurity.
Another data point exposed in these records included the customer’s Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts, adds Krebs.
A security researcher brought this to the attention of Krebs, stating he reported this leak to Panera eight months ago but never saw any resolution.
Panera.com went off line briefly on Monday and later said the problem had been fixed.
“Panera takes data security very seriously, and this issue is resolved,” Panera Bread Chief Information Officer John Meister said in a statement to FOX Business. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
Meister added: “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”
Despite Panera’s statement, Krebs says the problem is much bigger and information of as many as 7 million customers may have been exposed.