Snippet: Panera’s Web Site Leaks Millions of Customer Records ☇

Brian Krebs:

Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.

The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.

At this point, how has any reasonably-sized business not done an internal audit of their systems and at least attempted to not be the next data breach headline? In Panera’s case, it’s even more shameful since this was brought to their attention last August. Although not nearly as severe as the Equifax breach both in the amount affected and type of content, it’s still something that should not be happening as much as it is. Furthermore, it is a bit funny that Mike Gustavison, Panera’s director of information security, was previously at Equifax, but left that position in 2013.

Update: If you’re curious of the technical details, Dylan Houlihan discovered the vulnerability and provided a nice write-up including how it was reported.