LOS ANGELES (CBSLA/CNET) – The popular restaurant chain Panera Bread exposed the personal information of its online customers for months before a website glitch was caught this week, according to a report.
The breach was not the result of a hack, but however allowed anyone who knew where to look to access the personal information for anyone who signed up for online food ordering through PaneraBread.com, according to KrebsOnSecurity.com, a site operated by cybersecurity expert Brian Krebs.
That information, available in plain text, included customers’ names, emails, physical addresses, birthdays and the last four digits of their credit cards, Krebs said.
The leak was only caught Monday. Panera’s website was down as of Tuesday morning.
Security researcher Dylan Houlihan notified the company of the leak in August 2017, but the issue wasn’t resolved until Krebs reached out to Panera on Monday, Krebs said.
The personal information was available on Panera’s website since at least last August, Krebs reports. It is unclear how many customers were effected.
Panera acknowledged the leak Monday, but disputes Krebs allegation that it had effected millions of customers. Panera claims the records of only about 10,000 customers were exposed.
“Panera takes data security very seriously and this issue is resolved,” said John Meister, Panera’s chief information officer, in an emailed statement to CNET Monday. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
Panera Bread has about 2,100 restaurants in the U.S. and Canada.