X

Panera website leaked customer data for months, report says

The site exposed customer names, email addresses, birthdays and more until security writer Brian Krebs notified the company Monday, he said.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
A Panera Bread restaurant in Miami Beach, Florida. The company's website leaked customer data for at least 8 months according to a report from Brian Krebs.

A Panera Bread restaurant in Miami Beach, Florida. The company's website leaked customer data for at least eight months, according to a report from Brian Krebs.

Joe Raedle / Getty Images

Customer information was up for grabs on the Panera Bread website for at least eight months, according to a report from cybersecurity writer Brian Krebs. 

A flaw in the website meant that anyone who knew where to look could find customer names, email addresses, birthdays and the last four digits of payment cards, as well as phone numbers and physical addresses.

Security researcher Dylan Houlihan notified the company in August 2017, but the issue wasn't resolved until Krebs reached out to Panera on Monday, Krebs said. Panera confirmed customer data was exposed and said the problem affected fewer than 10,000 Panera customers.

"Panera takes data security very seriously and this issue is resolved," said John Meister, Panera's chief information officer, in an emailed statement. "Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved."