Panera Allegedly Exposed Millions of Customers’ Data for at Least 8 Months


Panera Bread's online customer portal, which stores the personal and financial details of anyone who's ordered a meal from the fast-casual chain online, has been compromised in a data breach, the company acknowledged earlier this week.

The comprised data includes physical and email addresses, birthdays, and the last four digits of customer's credit cards. Those affected included anyone with an account on, according to the online security watchdog Krebs On Security. Adding an air of further controversy to it all, are signs that Panera knew about the data breach for nearly a year, but failed to take action to curtail it.

Per Brian Krebs' rundown, security researcher Dylan Houlihan initially informed Panera of the issue last August. After broaching the topic, Houlihan was told by the company's director of information security, Mike Gustavson, that Panera was "working on a resolution," via email a week later.

Despite the assurance, the page hosting jeopardized data remained online until earlier this week, when Panera informed customers of the leaks. Krebs' data analysis indicates "that the number of customer records exposed in this breach appears to exceed 37 million."

A Panera spokesperson couldn't be reached at press time, although a company representative told Eater:

"Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.

Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps."

For his part, Krebs denies Panera's claims that "fewer than 10,000 consumers" have been affected.

Panera is a popular chain with 2,100 outposts in the United States and Canada, and the researchers maintain that purloined data includes corporate clients, such as caterers. The company recommends changing passwords and monitoring credit card activity in the ensuing days. On Monday, Panera's website was briefly taken down, ostensibly so the company could address the problem. It's since been reactivated.

h/t [Krebs on Security, Eater]

Sign up here for our daily Thrillist email and subscribe here for our YouTube channel to get your fix of the best in food/drink/fun.
Sam Blum is a News Staff Writer for Thrillist. He's also a martial arts and music nerd who appreciates a fine sandwich and cute dogs. Find his clips in The Guardian, Rolling Stone, The A.V. Club and Esquire. He's on Twitter @Blumnessmonster