Panera Bread latest business giant hit by breach

Relative to other industries, the restaurant and food service sector has remained relatively unscathed from cyberattacks, whether due to more effective credit card processing strategies, compliance or simply good fortune. But major eateries are increasingly feeling the fallout, with Panera Bread the latest victim.

First reported by KrebsOnSecurity, hackers were able to successfully breach Panera Bread’s website, surfacing the credit card information specifics of a disputed amount of customers. Not only were their account numbers leaked, but mailing addresses, names and birth dates were exposed as well.

“Panera may have known about the breach since August 2017.”

Perhaps the most egregious aspect of the compromise is the fast-casual chain reportedly knew about the breach but failed to publicize it, KrebsOnSecurity reported.

Brian Krebs, cybersecurity writer and purveyor of the website that broke the story, indicated the breach became known to him after receiving an email from a cybersecurity researcher, who said he informed Panera about the matter last summer. Panera IT director Mike Gustavison replied, saying the company was “working on a resolution,” but eight months later, the breach hadn’t been resolved.

“No, the flaw never disappeared,” wrote security researcher Dylan Houlihan to KrebsOnSecurity. ” He added in the email that he checked on the status of the situation on a fairly regular basis, once every month or two.

John Meister, Panera Bread chief information officer, told CNBC that the issue when first reported to the company was addressed and contained, but they have since implemented added measures to ensure due diligence.

“Panera takes data security very seriously and this issue is resolved,” Meister told CNBC. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Panera says breach leaked data on 10,000 customers
But there’s conflicting information on just how big the breach was. Meister informed CNBC the leak was isolated to 10,000 customers, but Kreb said his intel and sources put the total at 37 million.

The fast-casual bakery and cafe franchise is the latest company to feel the effects of cybercrime. Each passing day seems to bring yet another, and in a variety of industries, like retail, social media, transportation and health care. According to IBISWorld, the entertainment industry, commercial banking, health and medical insurance and big box retail are among the leading sectors that have seen greater amounts of security threats. Target informed customers back in 2013 roughly 40 million customer credit cards and debit cards were exposed, but further investigation revealed the hack involved 110 million customers.

More recently credit agency Equifax experienced a similar incident, wherein follow-up analysis found the breach impacted more accounts than originally presumed. But in March, Equifax announced 2.4 million more customers were affected than its first estimate, putting the total number at nearly 148 million, according to The Washington Post.

Gavel on legal dictionary. The Equifax breach is resulting in lawsuits for the credit agency.

Massachusetts set to sue Equifax
While a breach may not necessarily result in hackers obtaining consumers’ identifiable data, it provides them the opportunity. Those actually affected have turn to the courts for legal recourse. In fact, a state court recently gave the go ahead for Massachusetts to file a class action lawsuit against Equifax on behalf of the businesses and consumers impacted, Reuters reported.

Suffolk County Superior Court Judge Kenneth Salinger, who rendered the decision, noted the lawsuit had standing because Equifax is duty bound to protect the sensitive data of its customers, which it failed to do.

“These allegations state a viable claim for violation of the data security regulations,” Salinger wrote in his decision, as quoted by Reuters.

Businesses that neglect to use the proper credit card processing security measures can feel the adverse consequences in a host of ways, including public relations, productivity and earnings. 911 Software provides the tools to keep your customers’ data behind closed doors.

Scroll to Top