Is it possible for any private information or data to stay that way online these days? Really, when was the last time we got through a couple of days without learning of some kind of hack or breach or betrayal of trust?
The latest company to fall victim is Panera Bread, through their website Panerabread.com. However, unlike some other times when this has happened, it is less of a breach by a hacker than it is a website springing a leak.
What’s worse is that Panera Bread learned of the issue last summer, yet did not do anything about it until now. Why would you wait to fix a security flaw?
Here’s what we know
A security researcher named Dylan Houlihan discovered the problem back in August 2017. He alerted Panera Bread back then and corresponded with Panera Bread’s director of information security Mike Gustavison, but it took until April 2 for them to actually do something about it.
Note: According to his LinkedIn profile, Mike Gustavison was also Equifax’s Senior Director of Security Operations from 2009 to 2013.
That’s when Panera Bread, which has more than 2,100 bakery-cafes across America, took the part of the site that was problematic offline.
In the meantime, customer records that included names, addresses (email and physical), birthdays and the last four digits of credit cards were being leaked onto the internet. In total, it appears more than 7 million online accounts were impacted.
Update: 04/03/2018 8:00AM PST – KrebsOnSecurity stated that the number of customer records exposed in this leak now appears to exceed 37 million!
With enough effort and know how it would have been possible to piece together the data to form an idea of who the customers were. It was not all that difficult to find, either, as the format of the database that was leaked made it simple to search via data points, including phone numbers.
It is unknown if customer account passwords were also leaked.
In a statement to KrebsOnSecurity.com, Panera maintains there is no evidence of cards or other large amounts of important information being accessed or retrieved, though their investigation is ongoing.
Panera execs have some questions to answer. The fact that this happened and took as long as it did to fix, is deeply concerning.
What can you do now?
First, change your account passwords. This is also a good time to review your banking accounts and check for signs of identity theft and fraud.
Also, watch out for any phishing attempts that may capitalize on the situation. Carefully scrutinize any emails, texts or calls claiming to be from Panera, they might be just fraudulent attempts to steal more of your personal information.
While you’re at it, it is important to create strong and unique passwords for every online account you have. A single data breach is all it takes to compromise your multiple online identities.
But if you shopped here, hackers have your personal data, credit card and more
We’ve just learned of another massive data breach and if you’ve shopped at this popular retailer, hackers have your personal data, credit card information and more. Click here to see what we are talking about.