WASHINGTON (dpa-AFX) - Bakery chain Panera Bread's website leaked 'millions' of customer records for at least eight months before it was taken offline earlier on Monday, according to cybersecurity blog KrebsOnSecurity.
Brian Krebs, an independent journalist who investigates breaches, reported on his KrebsonSecurity website that the customer records included names, email and physical addresses, birthdays and the last four digits of customers' credit card numbers.
The blog said it learned about the data breach after being contacted by security researcher Dylan Houlihan, who said he first notified Panera about the vulnerable data on its website back in August 2017.
Houlihan said he reached out via email, Twitter and LinkedIn to Panera Bread's director of information security Mike Gustavison to inform about the issue.
'The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com,' KrebsOnSecurity said.
Houlihan told KrebsOnSecurity that he never saw any indication Panera ever addressed the issue he had reported in August 2017, until Monday.
When KrebsOnSecurity contacted Panera's Chief Information Officer John Meister about the issue, the company briefly took its website offline on Monday.
Panera issued a statement saying it has suspended the functionality of its website to repair the issue of data security.
The company also said that while its investigation was continuing, there was no evidence of payment card information nor a large number of records being accessed or retrieved. Meister reportedly said that the leaks affected 'fewer than 10,000 consumers.'
But the flaw was not immediately resolved when the website went back online, according to Houlihan. Later on Monday, Panera again took the site offline and apparently fixed the flaw.
However, KrebsOnSecurity reported that at last count, the number of customer records exposed in the data breach appeared to exceed 37 million.
Copyright RTT News/dpa-AFX