Panera's failure to disclose a known security breach: Difference between revisions

Revision as of 02:10, 31 March 2026

Back in 02 August 2017, security researcher Dylan Houlihan notified Panera Bread of the breach that allowed hackers to access customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.

https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/

https://www.malwarebytes.com/blog/news/2018/04/panerabread-com-breach-could-have-impacted-millions

https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/

https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html

https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records

https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815

Incident

On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach containing customers information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.

Security Researchers Response

Change this section's title to be descriptive of the incident.

Impartial and complete description of the events, including actions taken by the company, and the timeline of the incident coming to the public's attention.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

[Company]'s response

If applicable, add the proposed solution to the issues by the company.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

Lawsuit

If applicable, add any information regarding litigation around the incident here.

Claims

Main claims of the suit.

Rebuttal

The response of the company or counterclaims.

Outcome

The outcome of the suit, if any.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach

Consumer response

Summary and key issues of prevailing sentiment from the consumers and commentators that can be documented via articles, emails to support, reviews and forum posts.

Add your text below this box. Once this section is complete, delete this box by clicking on it and pressing backspace.

References

@@ Line 6: / Line 6: @@
 |Type=Security
 |Description=Company ignored security risks for 8 months, affecting 37 million users.
-}}Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread|Panera]] [[Panera Bread|Bread]] of the breach that allowed hackers to access customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.
+}}Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.
@@ Line 25: / Line 25: @@
-== Security Researchers Response ==
+==Security Researchers Response==
 {{Ph-I-I}}
-== [Company]'s response ==
+==[Company]'s response==
 {{Ph-I-ComR}}