It’s not uncommon for popular retail chains to discover malware on their systems that’s meant to steal customer data. That’s precisely what has happened at Panera Bread. The bakery-cafe chain has confirmed that its website suffered a data breach which likely affects more than 37 million of its customers. As if the data leak wasn’t enough, those customers won’t like it at all when they find out that the chain knew about the hack for nearly a year before disclosing it to the public.
Security publication KrebsOnSecurity reports that Panera Bread knew about the at-risk data which includes emails, names, mailing addresses, birthdays, and the last four digits of customers’ credit cards for almost a year before it took down the page that was leaking the data just yesterday.
The data available in plain text from the company’s website includes records for any customer who signed up for an account to order food online through panerabread.com. Dylan Houlihan, a security researcher, says that he initially notified the chain about the customer data leaking from its website back in August 2017.
A message thread between the researcher and Panera’s director of information security Mike Gustavison shared with the scribe reveals that the company had initially dismissed the report as a possible scam. Later messages suggest that the company had validated his findings and had started working on a fix.
Even eight months after the initial report, the website was still leaking customer data up until yesterday. The security researcher adds that the flaw never disappeared because he checked on it every month or so.
“Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera said in a statement.