Even after validating that the breach was real, eight months later, Panera Bread's site was still leaking customer records in plain text. These records "could be indexed and crawled by automated tools with very little effort."
We see this all to often where companies refuse to take real responsibility when they make mistakes that lead to accidental data exposures. We receive similar responses where they deflect, deny and downplay the situation. What is it going to take for more companies to do the right thing?
Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.