Panera Bread Website Leaking Customer Data

Researchers allege that millions of customer records were exposed, but Panera Bread claims fewer than 10,000 customers were impacted.

Data breach punch

Restaurant chain Panera Bread is leaking customer information, according to a report released on April 2.

Security researcher Dylan Houlihan claims he contacted Panera Breach in August 2017 about the issue, but the company did not fix it. In a post on Medium, Houlihan said he discovered an issue in the Panera Bread website that could have enabled anyone to access personally identifiable information about customers. Panera Bread has downplayed the issue, claiming that it has been fixed.

"Panera takes data security very seriously and this issue is resolved," John Meister, CIO of Panera Bread, wrote in a statement emailed to eWEEK. "Following reports today of a potential problem on our website, we suspended the functionality to repair the issue."

After not getting a response from Panera Bread, Houlihan contacted security blogger Brian Krebs, who further verified the security vulnerability claims. Krebs concluded that upward of 7 million customer accounts may be at risk from the flaw. Panera Bread, however, has a different view on the impact.

"Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved," Meister stated. "Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps."


The root cause of the Panera Bread vulnerability that Houlihan discovered is a lack of authentication for a publicly available API endpoint. The unauthenticated API access can reveal the name, email address, phone number, home address and last four digits of a credit card number of anyone who has an account to order food from Panera Bread.

"Note that you can look up usernames/email addresses for Panera Bread accounts if you know the target's phone number," Houlihan wrote in a Pastebin post detailing the full vulnerability. "This returns the username/email address and last four digits of the saved credit card of every user who has ever signed up with that phone number."

Best Practices

"Sadly, this type of attack being successful against a company website is not at all surprising," A.N. Ananth, chief strategy officer at Netsurion, told eWEEK. "Every website, every public facing computer system is under constant attack 24/7 by automation which exploits well-known vulnerabilities and poor coding techniques."

Multiple things can be done to mitigate the risk of vulnerabilities in website applications. Among the best practices recommended by security experts is to have a penetration testing program to test for vulnerabilities.

"Penetration testing is a key activity in any security program," Michael Gianarakis, director of SpiderLabs at Trustwave, told eWEEK. "It is essential to ensure that a regular, detailed assessment of critical applications forms part of an organization’s security activities to ensure issues are identified before they expose the organization or its customers."

Gianarakis also recommends that organizations embed security into the software development life cycle to help prevent vulnerabilities from being written into the software in the first place. 

"Training developers on secure coding techniques; incorporating security into testing, code review and build processes; and designing security-conscious software are all key to improving the overall security of an organization's applications," he said.

From a threat detection standpoint, Ananth said preventative controls won't always catch every vulnerability. In his view, in the current threat landscape organizations should assume hackers are already in the network. With that mindset, Ananth said attackers are caught through continuous monitoring for indicators of compromise.

Being able to respond to issues once they are found is another key best practice for organizations.

"It's important to understand that it's not a question of if you will face a security issue, but when," Gianarakis said. "Having a robust set of processes to respond and recover from these incidents is critical to minimize their impact."

The fact that Panera Bread was aware of the unauthenticated API issue for months before acting to fix the flaw is a concern that was highlighted by Bob Rudis, chief security data scientist at Rapid7.

"Any breach like this should help underscore to all organizations the importance of developing a solid set of processes and procedures for processing vulnerability reports from responsible researchers," Rudis told eWEEK. " Well-honed plans can help speed up remediation, protect sensitive data and prevent exposure events from spiraling out of control."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.