Awesome: Panera Knew About a Massive Data Breach for Months Before Doing Anything About It

Hey, I’ve got totally wonderful news for anyone who’s tried to order a bread bowl full of Broccoli Cheddar Soup on Panera Bread dot com. The fast-casual chain has reportedly been sitting on knowledge of a massive security vulnerability that exposed millions of customers’ data for a whopping eight months. Great times we’re living in here, folks, where you can totally and absolutely trust mammoth corporations with your data.

In a Medium post published on Monday, security researcher Dylan Houlihan alleged that he contacted Mike Gustavison, Panera’s Information Security Director, in August alerting him to the existence of this vulnerability. The loophole revealed such customer data as first and last names, email and mail addresses, birthdays, the final four digits of credit cards, dietary preferences, and loyalty card numbers in plaintext.

Gustavison, an alum of pre-breach Equifax (these stories write themselves!), appeared to brush off Houlihan's emails as a potential scam before taking them seriously and telling Houlihan the company was working towards a solution.

Eight months went by, though, and Houlihan noticed that the company had done nothing to remedy the issue. So he created a (now-defunct) Pastebin page and contacted high-profile security writer Brian Krebs, who published a post about the breach on his blog, KrebsOnSecurity, on Monday.

Krebs' widely-circulated post brought such attention to the matter that it compelled Panera to act. By Monday afternoon, Panera took its website offline and claimed to fix the botched functionality, issuing a statement alleging that "it takes data security very seriously." The statement tiptoed around the fact that Panera had apparently been aware of the vulnerability for months. As Krebs noted, though, the "fix" was more of a band-aid, simply requiring a login to view the page where the data was still accessible. Krebs was able to find this same vulnerability at different endpoints on the site—catering.panerabread.com, for example—that hadn’t been addressed at all.

The company later told Fox News that the breach affected "fewer than 10,000 customers", much to the chagrin of Krebs, who estimated—per documents from Information Security firm Hold Security—that the figure may be closer to 37 million.

Panera and Gustavison have yet to respond to request for comment from MUNCHIES on Tuesday regarding the scope of the apparent leak, why it took the company so long to address this vulnerability, and how the company plans to assist affected customers.

Within his Medium post, Houlihan, who did not respond to immediate request for comment on Tuesday from MUNCHIES, expressed frustration over press reports that were regurgitating Panera party line uncritically.

"I’m not going to stand for reporting that sweeps all of this under the rug,” he wrote. “While Panera Bread’s website remains down due to several specific examples demonstrating the “resolution” didn’t resolve anything, news reports are not updating this fact.”

Krebs, meanwhile, is suspicious of anything the company has to say about the breach.

“I'm afraid I have no idea,” Krebs wrote MUNCHIES over email on Tuesday when asked whether he knows if Panera has fixed the issues he identified. “I think they're the only ones who can answer that, and my guess is they won't.”