Panera Bread data breach: Here’s what we know


It seems like just about every week we hear of a new data breach affecting millions of people.

There are several reasons this could be the case: Criminals are using more sophisticated technology. Consumers could simply be doling out their data more, increasing the likelihood of hacks. But it may be equally true that the entities entrusted to safeguard our most sensitive information aren’t as equipped as they need to be.

Reports emerged Tuesday that hackers have targeted one of America’s favorite bakery-cafe chains, Panera Bread, where millions of customers’ personal information was leaked from online orders. First to report the breach was cybersecurity blogger Brian Krebs, who wrote about it on his site Krebs on Security.

The data breach is confined to customers who ordered food via, Kregs reports. But because the company is still looking into the matter, it remains unknown just how big of a security lapse this is.

Report: Millions of customers’ info stolen in Panera Bread data breach

Representatives of the Sunset Hills, Missouri-based company have disclosed relatively little about the hack, despite criticism that it seems to be downplaying the seriousness of the incident.

“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera Bread’s Chief Information Officer John Meister told Reuters.

Meister also told Fox Business that, “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

But Kregs, who said the company’s website has been leaking customers’ names, addresses, emails and the last four digits of their credit card numbers for at least the past eight months, said that the number of people affected is much higher.

To make matters worse for Panera Bread, Dylan Houlihan, the purported security researcher who first told the company about the breach has written a post on Medium about his account of the matter. Houlihan says: “In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account.”


“Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months,” the researcher writes.

Krebs also said that Panera Bread’s director of information security — who was purportedly notified last summer about the security flaw on — previously served as senior director of security operations at Equifax. We all know what happened there.

Team Clark has reached out to Panera Bread for an independent statement and will update this story accordingly. But in the meantime, especially since the probe is ongoing, it’s probably not a good idea to put your information on the company’s website. That includes  and any other related payment portals.

RELATED: Saks got hacked. Here’s how to protect yourself

  • Show Comments Hide Comments