Panera Bread data breach exposes customer records

In this Wednesday, April 12, 2017, file photo, a passer-by walks near an entrance to a Panera Bread restaurant in Natick, Mass. In a deal announced Wednesday, Nov. 8, 2017, Panera Bread says it is buying bakery chain Au Bon Pain to boost its presence

Panera Bread on Monday said it has resolved a security flaw on its website that exposed the data of thousands of customers, but denied the data breach exposed a “large number of records,” despite a report that the vulnerability may have leaked the personal data of millions of customers.

The website’s vulnerability, which appears to have first surfaced publicly via an anonymous PasteBin coding post on Monday, purportedly allowed easy access to customer names, email addresses, phone numbers and the last four digits of saved credit card numbers. Panera Bread confirmed the breach on Monday and said the “issue is resolved” without evidence of widespread customer exposure.

“Panera takes data security very seriously, and this issue is resolved,” Panera Bread Chief Information Officer John Meister said in a statement to FOX Business. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.  Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.” 

Meister added: “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

Brian Krebs, an independent investigative journalist who authors the “Krebs on Security” cybersecurity blog, reported that Panera was first alerted to the breach in August, eight months before it became public knowledge. Krebs says that indexed data from Panera’s website indicates that more than 7 million customers may be affected.

Panera representatives did not clarify what kind of private data was exposed. The chain operates more than 2,000 stores in the U.S.

The data breach comes days after Under Armour said a flaw in its MyFitnessPal app exposed the data of roughly 150 million users.