Panera Bread Accidentally Leaked Millions Of Customers’ Info For 8 Months

Screenshot by Dylan Houlihan

Panera Bread had millions of customers’ credit card numbers, birthdays, email addresses, and home addresses out in the open for 8 months, according to Krebs on Security.

Apparently, in plain text, any customer who had ever signed up for an account on the Panera Bread site, had their personal information, down to their food preferences, visible directly on the site.

The problem was initially brought to Panera’s attention by security researcher Dylan Houlihan, whose information was also leaked on the Panera site. This was back in August, 2017, as Houlihan posted his story to Medium, showing screen shots of his conversation with Panera’s Information Security Director Mike Gustavison. Gustavison said they’d take care of it, and 8 months later, as Houlihan kept tabs on the Panera site, nothing had been done.

That is when Brian Krebs of Krebs On Security brought it to Panera’s attention, Monday. Krebs is one of the most credible sources for data breaches such as this, and Panera acknowledged him as well. Panera said the issue was taken care of, but two hours later, the information was still publicly visible.

That’s two different people, two separate acknowledgments, and two promises that it’d be resolved, but nothing was done — for eight freaking months.

That’s when Krebs really pressed Panera on Twitter, vociferously calling them out for telling Fox News that only about 10 thousand customers were affected, downplaying the number. In reality, Krebs believes that more than 7 million people could have been affected, although official numbers have not been publicly released yet.

Basically, Panera’s security team didn’t give a shit about the leak until they were publicly under fire. Millions of customers had sensitive information flapping in the breeze, and for some unknown reason, Panera did nothing to protect them.

If you click on the links now, they are dead, and no longer show the information. Krebs said there is no evidence of it being a problem, but we are still waiting on Panera to respond and assure everyone that it has finally been resolved.

Grocery News

Whole Foods Credit And Debit System Hacked, Find Out If You’re Affected

The last thing you want to hear is that one of your favorite supermarkets had a data breach, thus putting your information at risk, but the silver lining is that it wasn’t as massive as it could have been, as of now.

Whole Foods revealed that customers who used debit or credit cards at their “taprooms,” or full-service restaurants could be affected by the breach, and should keep a close eye on their accounts.

There are more than 40 Whole Foods Taprooms across the U.S., and while there is no readily available full-service restaurant number, if you were a patron of one, this could affect you.

Thankfully, Whole Foods said the breach did not extend to their regular grocery stores, as they use a completely different “point-of-sale system,” and even with the recent Amazon buyout, you don’t have to worry about the hack affecting your Amazon account.

Whole Foods seems to be vigorously investigating the breach, using a forensics team and even law enforcement expertise to help.

While it didn’t affect all 450 Whole Foods, it was a nationwide-level breach that touched several popular locations, so keep watch of your payment cards and purchasing activity.


Arby’s Had A Massive Breach, So Check Your Credit Cards

If you’ve been to Arby’s lately, you might want to check your credit or debit card information.

Arby’s is investigating a breach that could have affected 355,000 customers at hundreds of its stores, according to Krebs on Security.

There seemed to be malware spotted in Arby’s payment systems, but it only affected the corporate-owned restaurants, and not independently-owned franchises.

Although they didn’t even know about the breach until mid-January, they said they were able to contain it and get rid of the malware.

There were rumors about the breach going around, as Public Service Credit Union, the largest credit union in the US, received an alert that more than 355,000 Visas and MasterCards were compromised.

Krebs on Security spoke to an Arby’s spokesperson, who said:

“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems. Upon learning of the incident, ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant.”

Arby’s declined to comment on how long the malware was in the system, but PSCU said it could have been between October 25, 2016 to January 19, 2017.

There are thousands of Arby’s in the US and it’s hard to tell which are corporate or franchise-owned, but if you’ve eaten there in the last three months, you should just make sure everything’s square with your payment cards.