Panera Bread *finally* acknowledges data compromise

A vulnerability was discovered at Panera Bread in August of 2017 and was finally acknowledged by the company on April 3 of this year. Compromised data includes names, emails, physical addresses, birthdays and the last four digits of the customer’s credit card number. “There is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera Chief Information Officer John Meister wrote in an emailed statement.

The data was obtained through a website vulnerability that has now been reported as corrected.

The bad news here is that data was leaked for 8 months after a security researcher contacted Panera in August 2017 with details of the exploit.

The actual fix was a patch to the website that took 1 hour to deploy.

While Panera has talked about “[not] a large number of records” being affected, they have apparently identified 10,000 customers who likely did have their information exposed. Other reports suggest as many as 37 million accounts may have been exposed.

This is another good reason why your company should have a¬†Dark Web monitoring solution like MicroData’s Dark Web Guardian in place. You may never know exactly what credentials and PII have been compromised in any given breach. And some compromises may never be reported, so your business needs to aggressively be checking for compromises.

And tell your users that if they previously set up and used an online Panera Bread account, to be safe they should change their password at the site and any other place where they may have used the same email/password credentials.

And of course, remind your employees to never use their corporate email address and password for account registration with other businesses/social media sites/entities.