It started with a warning email last summer, from a security researcher who told Panera Bread that its website was exposing sensitive customer data. But after the problem went unfixed for months, the researcher went public with proof of the flaw. Another analyst said Panera's response was "half-baked."
"Originally I was content to wait eight months for Panera to fix this on their own," researcher Dylan Houlihan said in his story on the Medium website. "But this is ridiculous."
After the issue was flagged on Monday, Panera's website was taken down. It's now back online, but the main page doesn't include any information to tell customers about the breach, and no mention is made on its "press room" page, either. Panera did not respond to NPR's request for comment before we published this story.
The exposed data included Panera customers' first and last name, their date of birth, address, email address, phone number and the last portion of their credit card number. The sensitive information was easily accessed and read via the site, Houlihan said in the warning he sent to Panera last August, when he offered to provide proof of the problem. Customers' data was easy to compile, he said, because their ID numbers were listed in the simplest way possible: sequentially.
To Panera, Houlihan's initial warning came off as a bid for work — and maybe even a scam. That's what the company's lead security executive, Mike Gustavison, told him in an email that Houlihan reproduced in his Medium story. While saying he was willing to talk, Gustavison added, "I will not be duped, demanded for restitution/bounty or listen to a sales pitch."
To that email, Houlihan replied that he was acting in good faith, having come across the problem accidentally.
"I am not exaggerating when I say you have a massive sensitive data exposure issue," he said, "and I'd simply like you to be made aware of it so you can quickly resolve it."
Houlihan said he was particularly concerned because as a Panera customer, his data was among the exposed records.
In that exchange of emails in early August 2017, Gustavison eventually thanked Houlihan and said, "we are working on a resolution."
But when Houlihan checked to see if the website had been patched, the vulnerability persisted. After months passed, he acted this week, first by posting information about the breach online, and then by contacting security analysts, including writer Brian Krebs. After probing the vulnerabilities further, Krebs said on his website, he found that millions of customers' data was exposed.
"The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com," Krebs wrote, adding that the huge company has more than 2,100 stores.
Panera collects customers' information online for everything from its awards and loyalty program to individual orders, delivery, and catering jobs.
Krebs and Houlihan are sharply criticizing Panera's handling of the issue, saying the company does not take web security seriously enough — and that it wasn't being honest when it said the breach was a) small and b) fixed. Both of the security experts said Panera wildly understated the problem when it told Fox Business Network on Monday night that "fewer than 10,000 consumers have been potentially affected" by the issue.
In contrast, Krebs wrote on his site that "incremental customer numbers indexed by the site suggest that number may be higher than seven million." But Krebs later updated the figure to include the findings of other researchers who found the same vulnerabilities in Panera's commercial division, stating, "the number of customer records exposed in this breach appears to exceed 37 million."
On the Fox channel, Panera's chief information officer, John Meister, said "Panera takes data security very seriously, and this issue is resolved."
After the Fox Business segment aired, Krebs tweeted to Panera Bread, "before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business." — adding a link to another section of the company's site that he said remained at risk.
Krebs also highlighted the fact that prior to joining Panera in 2013, Gustavison was the senior director of security operations at Equifax — another company that has recently endured a huge security breach, and which has also been faulted for the way it handled the case (including tweeting links to a bogus website).
After the story broke, Krebs and Houlihan called for companies to review how they deal with such breaches.
"It's easy to bully Panera Bread for this, but in my opinion we need to take Panera Bread's actions as symptomatic of a much larger issue with security reporting and compliance," Houlihan wrote on Medium. "This is not a problem unique to any particular type of company. This has happened before and it will continue to happen."
Houlihan recommended changes, including a push to hold companies more accountable for breaches. And he urged any security personnel to make it easy to receive reports of vulnerabilities — and to act on them.
Just weeks before Houlihan sent his warning of a security flaw to Panera last summer, the coffee and bakery chain was finalizing its acquisition by Europe's mammoth JAB Holding Company, in a $7.5 billion-dollar deal.
JAB's other properties range from Krispy Kreme and Caribou Coffee to Einstein Bros Bagels and Keurig Green Mountain. We haven't seen any reports of similar security problems at those enterprises.