Being light, airy, and full of holes is a good quality in an English muffin. Unfortunately for Panera Bread, their online security system seems to have similar attributes, According to the KrebsOnSecurity blog, a data breach may have exposed as many as 37 million customer records at the bakery chain for at least eight months, including the records of any customer who ordered food online from panerabread.com, which was taken offline late Monday. The blog says the exposed records include names, email and physical addresses, and the last four digits of customers' credit card numbers. Security researcher Brian Krebs says the information was available in plain text and could easily have been lifted by automated tools.
Krebs says he was informed of the breach by security researcher Dylan Houlihan, who shared emails showing that he first contacted Panera director of information security Mike Gustavison about the problem in August last year. John Meister, Panera's chief information officer, tells
Fox that the company takes security very seriously and "this issue is resolved." He says there is no sign that a large number of records were retrieved and contrary to Krebs' report, the company believes fewer than 10,000 customers were affected.
Gizmodo notes that more security issues, including exposed administrative logins, came to light after the Krebs report Monday night—and as a "kicker," Gustavison, the information security chief, directed security at Equifax before the
massive breach that exposed data on 143 million Americans.
(More
Panera Bread stories.)