(RNN) - Panera Bread leaked online customers’ information on its website for at least eight months, according to a report by KrebsOnSecurity.
Customer names, birthdays, addresses, e-mail addresses, Panera loyalty card numbers and the last four digits of credit cards were all available in plain text on the restaurant chain’s website.
Dylan Houlihan, a security researcher, tipped off KrebsOnSecurity on April 2. He first told Panera about the leak on Aug. 2, 2017.
An email exchange between Houlihan and Mike Gustavison, Panera’s director of information security, seems to indicate the leak was initially dismissed only to be validated a week later, according to KrebsOnSecurity.
“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Houlihan told KrebsOnSecruity.
Houlihan said he didn’t see any indication the St. Louis-based company addressed the issue until April 2.
Panera took down its website on that day. When it came back online, the data was no longer available.
Panera’s chief information officer John Meister released the following statement to KrebsOnSecruity and Fox Business:
Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.
Copyright 2018 Raycom News Network. All rights reserved.
