American fast casual restaurant chain Panera Bread has reportedly been hit by a data breach, leaking sensitive data of around 37 million customers who made transactions through its website over the last eight months, according to security news site KrebsOnSecurity.
KrebsOnSecurity reported that the leaked data included names, partial credit card information, email and physical addresses, birthdays and Panera loyalty card numbers.
Security researcher Dylan Houlihan notified Panera regarding the breach in August last year. Houlihan provided an account of him contacting Panera’s director of information security, Mike Gustavison by email. However, Gustavison initially dismissed Houlihan’s report.
Following the notification, Gustavison ended the exchange with Houlihan by stating that Panera is ‘working on a resolution’.
Houlihan was quoted by KrebsOnSecurity as saying: “Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database.
“No, the flaw never disappeared. I checked on it every month or so because I was pissed.”
Initially, KrebsOnSecurity reported that the data leak could include sensitive information of seven million customers. The restaurant chain’s website has also gone offline after reports emerged of the possible data leak.
Later, Panera issued a statement following the reports from the online security firm stating that only 10,000 customer records were compromised.
However, the security news site informed that the data leak may involve more than 37 million customers’ data.
Panera allows customers to order food from its 2,100 locations in the US and Canada through its website.