Panera, also known as St. Louis Bread Company, reportedly leaked millions of customers records online according to a security company.
On Monday, the security company KrebsOnSecurity reported the leak. The company said the records, which were available for about eight months online, contained names, email and physical addresses, birthdays and the last four digits of customers credit card numbers.
Panera pulled its website down to fix the problem, Fox 2 New reported. The company's website was up and running on Tuesday morning, though.
The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com, KrebsOnSecurity reported.
According to Quartz, the data leak was discovered last year by Dylan Houlihan, the managing principal of New York-based Breaking Bits, a “data mining, reverse engineering and security consulting practice.”
Houlihan said he reached out via email, Twitter, and LinkedIn to Panera Bread’s director of information security, Mike Gustavison, upon discovering the breach, but received no reply, Quartz reported. In early August, Houlihan successfully reached Gustavison through an introduction and Gustavison told him the security team was “working on a resolution.”
According to ABC News, Panera issued the following statement:
“Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
KrebsOnSecurity initially placed the number of customers potentially affected by the leak at “higher than 7 million,” and later pegged it at 37 million. In statements to Fox Business after Krebs published his piece, however, Panera’s chief information officer John Meister said the leaks affected “fewer than 10,000 consumers.”