On Monday, security expert Brian Krebs reported that PaneraBread.com, the online domain for the USA bakery and cafe chain, exposed customer records including names, email addresses, physical addresses, dates of birth, loyalty card numbers, and the last four digits of credit card numbers.
The exposed data includes customer names, email addresses, birthdays, the last four digits of payment cards, phone numbers, and physical addresses, reports cybersecurity writer Brian Krebs.
The leak in data was found in 2017 by Dylan Houlihan.
Panera said in a statement to KrebsOnSecurity that it gives priority to the data security and this problem is now fixed.
But Houlihan said the flaw "never disappeared".
Krebs spoke with Panera's chief information officer, who temporarily shut down the website to fix any vulnerabilities and get rid of sensitive content. However, the company had no comment as to why it allowed the problem to exist for months after it acknowledged it was an issue last August.
Instead, they suggested that about 10,000 or fewer records had potentially been affected, and assured the public that the brand was taking the right steps toward cyber security, in a statement to Fox News.
However, within minutes of that claim it became apparent that the same vulnerability was *still* present on the website - and that the number of customer records exposed may total over 37 million.
Houlihan wrote that Gustavison, the information security director at Panera he corresponded with in August, was senior director of security operations at Equifax from 2009 to 2013.
That is the kind of information that can make identify theft a little easier, though fortunately no social security numbers were compromised (it would have been silly for Panera Bread to collect such information in the first place).