Millions of customer records stored on Panera’s website were leaked over a period of eight months, cybersecurity analysts said Monday.
The leaked customer records on PaneraBread.com include names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number, Krebs On Security reported.
The fast food chain allows customers to place orders on its website at approximately 2,100 locations around the country.
Krebs On Security said security researcher Dylan Houlihan first discovered the breach and notified Mike Gustavison, Panera’s director of information security about the breach on August 2, 2017.
However, eight months after that warning, the customer records were still being leaked.
“The flaw never disappeared,” Houlihan told Krebs on Security. “I checked on it every month or so because I was pissed.”
Panera said it is investigating the breach and said the report of millions of customers exposed is false and the number is “fewer than 10,000.”
“Following reports today of a potential problem on our website, we suspended the functionality to repair the issue,” the statement said. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.”