Panera's failure to disclose a known security breach - Revision history

Mr Pollo: used galleries

2026-04-14T13:13:12Z

used galleries

← Older revision		Revision as of 13:13, 14 April 2026
Line 13:		Line 13:
	==Original Contact==		==Original Contact==
	On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>		On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>
	[[File:Panera Bread hack on website.png~~\|thumb~~\|Hacked Website]]		<gallery>
	[[File:Panera Bread first email.png~~\|center\|thumb~~\|First Response ]]		File:Panera Bread hack on website.png\|Hacked Website
			File:Panera Bread first email.png\|First Response
			</gallery>


	The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email.		The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email.
	[[File:Panera Bread third email.png~~\|thumb~~\|PGP Received]]		<gallery>
	[[File:Panera Bread second email.png~~\|left\|thumb~~\|Second Email]]		File:Panera Bread third email.png\|PGP Received
	[[File:Panera Bread fourth email.png~~\|center\|thumb\|250x250px~~\|Fourth Email]]		File:Panera Bread second email.png\|Second Email
			File:Panera Bread fourth email.png\|Fourth Email
			</gallery>


Line 43:		Line 46:
	{{reflist}}		{{reflist}}
	[[Category:Panera Bread]]		[[Category:Panera Bread]]
			[[Category:2017 incidents]]

SquidthePlummer: /* Lawsuit */ added 2018

2026-04-04T23:09:36Z

Lawsuit: added 2018

← Older revision		Revision as of 23:09, 4 April 2026
Line 36:		Line 36:

	==Lawsuit==		==Lawsuit==
	On 04 May 2018, plaintiff Alisha Boykin, Kristen Hansen, Tracy Mangano, Amy Dittbenner, Lara Sulelman, and Dusica Perez file a class action lawsuit against Panera for failure to investigate and alert customers of the data breach, claiming "Panera has taken no other efforts since discovering the security breach to inform customers that their Personal Identifying Information was leaked and/or compromised.”<ref>{{Cite web \|last=Shaak \|first=Erin \|date=6 April 2018 \|title=Panera Bread Facing Lawsuit Over Potential Security Breach \|url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach \|url-status=live \|access-date=29 March 2026 \|website=ClassAction}}</ref> The case was voluntary dismissed without prejudice by the plaintiffs on June due to lack of affiliation with the data breach.<ref>{{Cite web \|last=Bucher \|first=Anne \|date=7 June 2018 \|title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs \|url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ \|url-status=live \|access-date=29 March 2026 \|website=Top Class Action}}</ref>		On 04 May 2018, plaintiff Alisha Boykin, Kristen Hansen, Tracy Mangano, Amy Dittbenner, Lara Sulelman, and Dusica Perez file a class action lawsuit against Panera for failure to investigate and alert customers of the data breach, claiming "Panera has taken no other efforts since discovering the security breach to inform customers that their Personal Identifying Information was leaked and/or compromised.”<ref>{{Cite web \|last=Shaak \|first=Erin \|date=6 April 2018 \|title=Panera Bread Facing Lawsuit Over Potential Security Breach \|url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach \|url-status=live \|access-date=29 March 2026 \|website=ClassAction}}</ref> The case was voluntary dismissed without prejudice by the plaintiffs on June 2018 due to lack of affiliation with the data breach.<ref>{{Cite web \|last=Bucher \|first=Anne \|date=7 June 2018 \|title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs \|url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ \|url-status=live \|access-date=29 March 2026 \|website=Top Class Action}}</ref>

	==Consumer response==		==Consumer response==

SquidthePlummer: /* Lawsuit */ added lawsuit

2026-04-04T23:09:01Z

Lawsuit: added lawsuit

← Older revision		Revision as of 23:09, 4 April 2026
Line 36:		Line 36:

	==Lawsuit==		==Lawsuit==
	{{Ph-I-L}}		On 04 May 2018, plaintiff Alisha Boykin, Kristen Hansen, Tracy Mangano, Amy Dittbenner, Lara Sulelman, and Dusica Perez file a class action lawsuit against Panera for failure to investigate and alert customers of the data breach, claiming "Panera has taken no other efforts since discovering the security breach to inform customers that their Personal Identifying Information was leaked and/or compromised.”<ref>{{Cite web \|last=Shaak \|first=Erin \|date=6 April 2018 \|title=Panera Bread Facing Lawsuit Over Potential Security Breach \|url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach \|url-status=live \|access-date=29 March 2026 \|website=ClassAction}}</ref> The case was voluntary dismissed without prejudice by the plaintiffs on June due to lack of affiliation with the data breach.<ref>{{Cite web \|last=Bucher \|first=Anne \|date=7 June 2018 \|title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs \|url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ \|url-status=live \|access-date=29 March 2026 \|website=Top Class Action}}</ref>

	<ref>{{Cite web \|last=Shaak \|first=Erin \|date=6 April 2018 \|title=Panera Bread Facing Lawsuit Over Potential Security Breach \|url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach \|url-status=live \|access-date=29 March 2026 \|website=ClassAction}}</ref><ref>{{Cite web \|last=Bucher \|first=Anne \|date=7 June 2018 \|title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs \|url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ \|url-status=live \|access-date=29 March 2026 \|website=Top Class Action}}</ref>
	==Consumer response==		==Consumer response==
	{{Ph-I-ConR}}		{{Ph-I-ConR}}

Sojourna at 02:38, 1 April 2026

2026-04-01T02:38:38Z

← Older revision		Revision as of 02:38, 1 April 2026
Line 1:		Line 1:
			{{Cleanup}}
	{{IncidentCargo		{{IncidentCargo
	\|Company=Panera Bread		\|Company=Panera Bread
	\|StartDate=2017~~-08-02~~		\|StartDate=2 August 2017
	\|EndDate=2018		\|EndDate=2018
	\|Status=Resolved		\|Status=Resolved
	\|Type=Security		\|Type=Security
	\|Description=Company ignored security risks for 8 months, affecting 37 million users.		\|Description=Company ignored security risks for 8 months, affecting 37 million users.
	}}~~{{Cleanup}}~~		}}

	Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web \|last=Ms. \|first=Smith \|date=3 April 2018 \|title=Panera Bread blew off breach report for 8 months, leaked millions of customer records \|url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|url-status=live \|archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|archive-date=18 June 2025 \|access-date=29 March 2026 \|website=CSO}}</ref><ref>{{Cite web \|last=Chappell \|first=Bill \|date=3 April 2018 \|title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records \|url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|url-status=live \|archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|archive-date=17 July 2025 \|access-date=29 March 2026 \|website=NPR}}</ref>		Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web \|last=Ms. \|first=Smith \|date=3 April 2018 \|title=Panera Bread blew off breach report for 8 months, leaked millions of customer records \|url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|url-status=live \|archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|archive-date=18 June 2025 \|access-date=29 March 2026 \|website=CSO}}</ref><ref>{{Cite web \|last=Chappell \|first=Bill \|date=3 April 2018 \|title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records \|url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|url-status=live \|archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|archive-date=17 July 2025 \|access-date=29 March 2026 \|website=NPR}}</ref>

	==Original Contact==		==Original Contact==
	On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>		On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>
	[[File:~~Pandera~~ Bread hack on website.png\|thumb\|Hacked Website]]		[[File:Panera Bread hack on website.png\|thumb\|Hacked Website]]
	[[File:Panera Bread first email.png\|center\|thumb\|First Response ]]		[[File:Panera Bread first email.png\|center\|thumb\|First Response ]]

Line 16:		Line 19:
	The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email.		The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email.
	[[File:Panera Bread third email.png\|thumb\|PGP Received]]		[[File:Panera Bread third email.png\|thumb\|PGP Received]]
	[[File:Panera Bread ~~secound~~ email.png\|left\|thumb\|Second Email]]		[[File:Panera Bread second email.png\|left\|thumb\|Second Email]]
	[[File:Panera Bread fourth email.png\|center\|thumb\|250x250px\|Fourth Email]]		[[File:Panera Bread fourth email.png\|center\|thumb\|250x250px\|Fourth Email]]

SquidthePlummer: /* Incident */

2026-03-31T05:40:42Z

Incident

← Older revision		Revision as of 05:40, 31 March 2026
Line 27:		Line 27:
	8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.		8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.
	[[File:KrebsOnSecurity link showcase.png\|thumb\|KrebsOnSecurity Link Showcase]]		[[File:KrebsOnSecurity link showcase.png\|thumb\|KrebsOnSecurity Link Showcase]]
	<blockquote>''"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."'' ''"10k records, eh @panerabread ? Isn't that what you told Fox News right after my story ran? Fixed the issue, have you? How do you explain this? <nowiki>https://t.co/tWgSNv71TA</nowiki>"''</blockquote>It was later discovered that the vulnerability affected another one of Panera Breads applications.<blockquote>''"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like <nowiki>https://t.co/rSpkwc3y1v</nowiki>, etc. Only proper response is to deep six entire site"''</blockquote>After several more tweets made by KrebsOnSecurity, Panera Bread would close their website down again~~, however~~ displaying this message.		<blockquote>''"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."'' ''"10k records, eh @panerabread ? Isn't that what you told Fox News right after my story ran? Fixed the issue, have you? How do you explain this? <nowiki>https://t.co/tWgSNv71TA</nowiki>"''</blockquote>It was later discovered that the vulnerability affected another one of Panera Breads applications.<blockquote>''"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like <nowiki>https://t.co/rSpkwc3y1v</nowiki>, etc. Only proper response is to deep six entire site"''</blockquote><!-- this claim about the time might be innacurate and needs checking -->

			After several more tweets made by KrebsOnSecurity, Panera Bread would close their website down again for a few hours displaying this message.
	[[File:Panera Bread second website takedown notice.png\|center\|thumb\|Website Second Take down notice]]		[[File:Panera Bread second website takedown notice.png\|center\|thumb\|Website Second Take down notice]]

SquidthePlummer: /* Contact with Panera Bread */ changed name

2026-03-31T05:12:48Z

Contact with Panera Bread: changed name

← Older revision		Revision as of 05:12, 31 March 2026
Line 8:		Line 8:
	}}{{Cleanup}}		}}{{Cleanup}}
	Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web \|last=Ms. \|first=Smith \|date=3 April 2018 \|title=Panera Bread blew off breach report for 8 months, leaked millions of customer records \|url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|url-status=live \|archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|archive-date=18 June 2025 \|access-date=29 March 2026 \|website=CSO}}</ref><ref>{{Cite web \|last=Chappell \|first=Bill \|date=3 April 2018 \|title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records \|url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|url-status=live \|archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|archive-date=17 July 2025 \|access-date=29 March 2026 \|website=NPR}}</ref>		Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web \|last=Ms. \|first=Smith \|date=3 April 2018 \|title=Panera Bread blew off breach report for 8 months, leaked millions of customer records \|url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|url-status=live \|archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|archive-date=18 June 2025 \|access-date=29 March 2026 \|website=CSO}}</ref><ref>{{Cite web \|last=Chappell \|first=Bill \|date=3 April 2018 \|title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records \|url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|url-status=live \|archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|archive-date=17 July 2025 \|access-date=29 March 2026 \|website=NPR}}</ref>
	==Contact ~~with Panera Bread~~==		==Original Contact==
	On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>		On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>
	[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]		[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]

SquidthePlummer: added sources and made other changes

2026-03-31T05:09:33Z

added sources and made other changes

← Older revision		Revision as of 05:09, 31 March 2026
Line 7:		Line 7:
	\|Description=Company ignored security risks for 8 months, affecting 37 million users.		\|Description=Company ignored security risks for 8 months, affecting 37 million users.
	}}{{Cleanup}}		}}{{Cleanup}}
	Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.		Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web \|last=Ms. \|first=Smith \|date=3 April 2018 \|title=Panera Bread blew off breach report for 8 months, leaked millions of customer records \|url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|url-status=live \|archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html \|archive-date=18 June 2025 \|access-date=29 March 2026 \|website=CSO}}</ref><ref>{{Cite web \|last=Chappell \|first=Bill \|date=3 April 2018 \|title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records \|url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|url-status=live \|archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records \|archive-date=17 July 2025 \|access-date=29 March 2026 \|website=NPR}}</ref>
			==Contact with Panera Bread==
			On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web \|last=Houlihan \|first=Dylan \|date=3 April 2018 \|title=No, Panera Bread Doesn’t Take Security Seriously \|url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|url-status=live \|archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 \|archive-date=3 April 2018 \|access-date=29 March 2026 \|website=Medium}}</ref><ref>{{Cite web \|last=Krebs \|first=Brian \|date=2 April 2018 \|title=Panerabread.com Leaks Millions of Customer Records \|url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|url-status=live \|archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ \|archive-date=2 April 2018 \|access-date=29 March 2026 \|website=KrebsOnSecurity}}</ref>
	~~https://~~web.~~archive.org/web/20180402220110/https://krebsonsecurity.com/~~2018~~/04/panerabread-com-leaks-~~millions-of-customer-records/

	https://www.~~malwarebytes~~.com/~~blog~~/~~news~~/~~2018/04/panerabread~~-~~com~~-breach-~~could~~-~~have~~-~~impacted~~-millions

	https://~~topclassactions~~.~~com~~/~~lawsuit-settlements/lawsuit-news~~/~~panera-data-breach-class-action-voluntarily-dismissed-plaintiffs~~/

	https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html

	https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records

	https://~~medium~~.~~com~~/~~@djhoulihan~~/no-panera-bread-~~doesnt~~-~~take~~-~~security~~-~~seriously~~-~~bf078027f815~~

	== Contact with Panera Bread ==
	On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.
	[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]		[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]
	[[File:Panera Bread first email.png\|center\|thumb\|First Response ]]		[[File:Panera Bread first email.png\|center\|thumb\|First Response ]]
Line 32:		Line 18:
	[[File:Panera Bread secound email.png\|left\|thumb\|Second Email]]		[[File:Panera Bread secound email.png\|left\|thumb\|Second Email]]
	[[File:Panera Bread fourth email.png\|center\|thumb\|250x250px\|Fourth Email]]		[[File:Panera Bread fourth email.png\|center\|thumb\|250x250px\|Fourth Email]]



	On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.		On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.

	== Incident ==		==Incident==
	[[File:Panera Bread website takedown notice.png\|thumb\|Website Take down notice]]		[[File:Panera Bread website takedown notice.png\|thumb\|Website Take down notice]]
	8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.		8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.
Line 46:		Line 33:
	{{Ph-I-L}}		{{Ph-I-L}}

	https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach		<ref>{{Cite web \|last=Shaak \|first=Erin \|date=6 April 2018 \|title=Panera Bread Facing Lawsuit Over Potential Security Breach \|url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach \|url-status=live \|access-date=29 March 2026 \|website=ClassAction}}</ref><ref>{{Cite web \|last=Bucher \|first=Anne \|date=7 June 2018 \|title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs \|url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ \|url-status=live \|access-date=29 March 2026 \|website=Top Class Action}}</ref>

	https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/
	==Consumer response==		==Consumer response==
	{{Ph-I-ConR}}		{{Ph-I-ConR}}

SquidthePlummer: SquidthePlummer moved page Panera Bread Known About Security Breach for 8 Months Yet Choose To Do Nothing to Panera's failure to disclose a known security breach: Misspelled title: As discussed in discussions

2026-03-31T04:51:39Z

SquidthePlummer moved page Panera Bread Known About Security Breach for 8 Months Yet Choose To Do Nothing to Panera's failure to disclose a known security breach: Misspelled title: As discussed in discussions

← Older revision	Revision as of 04:51, 31 March 2026
(No difference)

SquidthePlummer: Undo revision 48562 by SquidthePlummer (talk) made mistake

2026-03-31T04:45:59Z

Undo revision 48562 by SquidthePlummer (talk) made mistake

← Older revision		Revision as of 04:45, 31 March 2026
Line 1:		Line 1:
	~~#REDIRECT [[Panera's failure to disclose a known security breach]]~~{{IncidentCargo		{{IncidentCargo
	\|Company=Panera Bread		\|Company=Panera Bread
	\|StartDate=2017-08-02		\|StartDate=2017-08-02
Line 22:		Line 22:
	https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815		https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815

	==Contact with Panera Bread==		== Contact with Panera Bread ==
	On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.		On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.
	[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]		[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]
Line 36:		Line 36:
	On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.		On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.

	==Incident==		== Incident ==
	[[File:Panera Bread website takedown notice.png\|thumb\|Website Take down notice]]		[[File:Panera Bread website takedown notice.png\|thumb\|Website Take down notice]]
	8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.		8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.
Line 52:		Line 52:
	{{Ph-I-ConR}}		{{Ph-I-ConR}}
	==References==		==References==
	{{reflist~~}}{{DEFAULTSORT:Panera's failure to disclose a known security breach~~}}		{{reflist}}
	[[Category:Panera Bread]]		[[Category:Panera Bread]]

SquidthePlummer: changed redirect AGAIN to shorten name length as discussed

2026-03-31T04:43:33Z

changed redirect AGAIN to shorten name length as discussed

← Older revision		Revision as of 04:43, 31 March 2026
Line 1:		Line 1:
	{{IncidentCargo		#REDIRECT [[Panera's failure to disclose a known security breach]]{{IncidentCargo
	\|Company=Panera Bread		\|Company=Panera Bread
	\|StartDate=2017-08-02		\|StartDate=2017-08-02
Line 22:		Line 22:
	https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815		https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815

	== Contact with Panera Bread ==		==Contact with Panera Bread==
	On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.		On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.
	[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]		[[File:Pandera Bread hack on website.png\|thumb\|Hacked Website]]
Line 36:		Line 36:
	On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.		On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.

	== Incident ==		==Incident==
	[[File:Panera Bread website takedown notice.png\|thumb\|Website Take down notice]]		[[File:Panera Bread website takedown notice.png\|thumb\|Website Take down notice]]
	8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.		8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp\|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp\|X]] (formerly Twitter) refuting the company claims.
Line 52:		Line 52:
	{{Ph-I-ConR}}		{{Ph-I-ConR}}
	==References==		==References==
	{{reflist}}		{{reflist}}{{DEFAULTSORT:Panera's failure to disclose a known security breach}}
	[[Category:Panera Bread]]		[[Category:Panera Bread]]