(Panera Bread) Exposes Millions of Customers details for 8 months and lied about fixing it (Panera Bread) Exposes Millions of Customers details for 8 months and lied about fixing it

Week after week we keep seeing new breaches and leaked data in the news, but this time we have a company that lied so many times about it. 8 months ago Dylan Houlihan emailed the company about a URL scheme that allowed anyone to view customer records including the last digits of credit cards. When he alerted them after many back and forth emails where they assumed he was lying at first. After Mike Gustavison who is in charge of IT emailed Dylan back saying that they are working on a resolution. That was 8 months ago and during this time the site was still exposing millions of records. It after 8 months of waiting Dylan messaged Troy Hunt and Brian Krebs who are both well known security researchers in the hope they can help get the company to fix it. A article was made by Brian Krebs after a final attempt to get Panera Bread to fix the leak. When this did not happen the article went live and went offline.

You would assume that when the site came back up a few hours later that the problem was fixed, after all the company did say to news outlets that only 10,000 records where exposed and it was fixed within hours of being reported. But at last the site only placed the URL behind the site login so any user after login was still able to see the data in the clear. Not only that but many problems with the service has since been found including public database access and more.

The site was then down for almost 12 hours before this morning going back online without any response about the breach/leak.


(This is a older article that never got posted on time)

Anthony Rossbach

Anthony Rossbach

A developer that has built large scale services that handles millions of requests daily. Anthony also created and runs the hosting service NodeHost.