3 min read

Panera Bread's half-baked security


April 03, 2018

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Panera Bread's half-baked security

We’ve heard it all before. XYZ Company “takes your data security very seriously.”

Most commonly you’ll hear these words just after a company has suffered an embarrassing data breach, perhaps having carelessly exposed the personal information of innocent customers onto the net or had a database stolen by hackers.

The truth is that it’s a brave organisation which promises it will never suffer a serious security incident. Accidents can happen, human weaknesses can leave open vulnerabilities which hackers may be able to exploit, partners who work alongside your company may have had their own security fail which impacted your business.

In these instances, the only way to recover your customers’ trust and retrieve your company’s reputation from being tarnished too much is to respond appropriately to the incident. Often, in fact, the response to a security breach will be more critical to your company’s brand than the incident itself.

And, if you want an example of a company that has got it massively wrong look no further than Panera Bread, the North American chain of over 2000 bakery cafés.

If you visit Panera Bread’s website today, you won’t find the usual collection of sandwiches, soups, salads, and sausage rolls. Instead you’ll probably see a message like this:

Panera Bread’s website is down. In fact, it’s the second time it’s been down in the last couple of days. Let me explain why…

In August 2017, a security researcher called Dylan Hoilihan privately informed Panera Bread of a serious security vulnerability on the delivery.panerabread.com website, which meant that details of any signed-up customers’ full names, email addresses, phone numbers, and the last four digits of their saved credit card numbers could be scooped up.

A member of Panera Bread’s information security team responded to Houlihan, seemingly skeptical of the report – believing it to be a scammy sales pitch.

After a few days and some to-and-fro (which you can read on Houlihan’s blog post), Panera Bread confirmed it was working on resolving the issue.

That was back in August 2017.

As each month passes, Houlihan investigates whether the Panera Bread security vulnerability still exists – and, sadly, it does.

And so, eight months later and frustrated by the lack of response, he informs security blogger Brian Krebs who publicly reveals that millions of customer records are at risk.

Before publishing details of the problem, Krebs spoke to Panera Bread’s CIO John Meister, and the website was soon afterwards briefly taken down for “essential system maintenance”.

Krebs, no doubt, assumed that the problem was being resolved. But no explanation was made as to why no fix was put in place back in August 2017, when they were first informed of the problem by Houlihan.

And if you think that’s bad, things get worse…

Panera Bread told Fox News that “fewer than 10,000 consumers have been potentially affected by this issue” and that “this issue is resolved”.

However, within minutes of that claim it became apparent that the same vulnerability was *still* present on the website – and that the number of customer records exposed may total over 37 million.

And that’s why Panera Bread’s website is down again.

Let’s hope it is taking data security seriously now. Although wouldn’t it have been much better if the company had taken decisive action when the issue was first reported to them eight months ago?




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like