Panera Bread Latest to Get Hit with a Possible Data Breach

Panera Bread's website leaked customer records for 8 months, report says

Panera Bread may have accidentally leaked millions of customer records, according to a story published Monday by Brian Krebs, a former reporter for The Washington Post, on his website, Krebs On Security.

The all-your-can-eat menu on its website offered online account holders' full names, home addresses, email addresses, dietary preferences, usernames, phone numbers, birthdays and the trailing four digits of saved credit cards to anyone able to construct a simple web query.

'Panera takes data security very seriously, and this issue is resolved, ' Panera Bread Chief Information Officer John Meister told FOX Business.

So, if you have an account with Panera Bread, you may want to keep a close eye on it over the next few weeks - just to make sure your information hasn't been hacked.

A member of Panera Bread's information security team responded to Houlihan, seemingly skeptical of the report - believing it to be a scammy sales pitch.

I'm honestly getting sick of having to write these stories about data leaks and security breaches that divulge the information of massive amounts of people. It was initially thought that only seven million or so customer records were exposed but further research has reportedly found that the vulnerability extends to Panera's commercial division, one that serves many catering companies.

The data breach comes days after Under Armour said a flaw in its MyFitnessPal app exposed the data of roughly 150 million users.

However, within minutes of that claim it became apparent that the same vulnerability was *still* present on the website - and that the number of customer records exposed may total over 37 million. And even though Panera Bread was aware of the issue since August of a year ago, "the flaw never disappeared", Houlihan said, adding that "checked on it every month or so because I was pissed".

Despite Houlihan continuing to follow up, a resolution was not reached, and the website was not taken down for security reasons until this week.