Panerabread.com kept leaking customer data 8 months after warning

It's one thing to have veteran hackers break into your website and database to pilfer sensitive customer data. It's quite another thing, however, to make it too easy for even the most novice of such security criminals to access said data. That, however, seems to be what Panera Bread has practically been accused of doing with its website leaking out customer information to anyone willing to try and take it. To make matters worse, the company apparently took no action 8 months after it was informed. That is until the news broke out to media.

Panera Bread is one of the largest bakery-cafe fast casual restaurant chains in North America, boasting of more than 2,100 locations in the US and Canada. It runs a website, Panerabread.com, that lets customers register to have orders prepared for pickup or delivery. They didn't know, however, that they were also signing up to have their data exposed.

Security researcher Dylan Houlihan approached the company August last year to inform them that their website was leaking data. That data was available as plain text and could be easily crawled by simple software. The data could be used to gather customer records, including names, emails, addresses, and more. The website also used simple sequential numbers for account IDs, making it easy to get the next user data in the records.

Panera's response was just as disastrous. It initially dismissed Houlihan's warning as a potential scam but later on confirmed it. However, nothing was done to change it and Houlihan checked every month. It wasn't until Krebs on Security published the incident that Panera actually took down the site for maintenance. But by then it might have already been too late.

The company later approached Fox News to downplay the security breach, claiming that only 10,000 customer records were exposed. Other security experts, however, suggested that the actual number could be as high as 37 million, exponentially more than Krebs on Security's 7 million estimate. So far there have been no reports of any use of stolen customer data. Perhaps hackers didn't think Panera Bread was worth the effort, not knowing they didn't need much effort after all.