Customer information was up for grabs on the Panera Bread website for at least eight months, according to a report from cybersecurity writer Brian Krebs.
A flaw in the website meant that anyone who knew where to look could find customer names, email addresses, birthdays and the last four digits of payment cards, as well as phone numbers and physical addresses.
Security researcher Dylan Houlihan notified the company in August 2017, but the issue wasn't resolved until Krebs reached out to Panera on Monday, Krebs said. Panera confirmed customer data was exposed and said the problem affected fewer than 10,000 Panera customers.
"Panera takes data security very seriously and this issue is resolved," said John Meister, Panera's chief information officer, in an emailed statement. "Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved."