Data Breach of the Month: Panera Bread

Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.

In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.

So without further ado, our breach of the month for April, 2018 is… Panera Bread’s exposed customer account data, which was left vulnerable for eight months after the leak was first reported.

What Happened?

On April 2nd, Panera acknowledged that data belonging to their online customers had been exposed, and briefly took a portal offline to patch the issue. This was in response to security blogger Brian Krebs breaking the story. Krebs was tipped to the vulnerability by security researcher Dylan Houlihan, who had notified Panera of the exposed data eight months earlier.

When the story went public in April, Panera quickly announced that fewer than 10,000 customers were affected. However, Krebs and Houlihan argue that the real number could be between 7 and 37 million, because of related vulnerabilities throughout Panera’s online databases. In fact, according to Krebs, many of these records were still exposed when Panera announced the issue.

The exposed data includes names, usernames, emails, home addresses, phone numbers, birthdays, final four numbers of credit cards, and dietary preferences of users that have signed up for an account to order food online from Panera.

How did it Happen?

The database was exposed via a publicly available API endpoint. Customer account IDs were sequential numbers, making it easy for data thieves to gather records in bulk. Records could also be easily indexed and crawled using automated tools. After the initial vulnerability was patched, the same problem was found on other API endpoints, as well as an application used to connect with catering companies.

How to Minimize the Risk of this Type of Breach

The most notable aspect of this incident was Panera’s reluctance to act. They waited eight months to take action to close the data leak, and even then, it was only after the pressure created by Krebs’ covering the story. So why do organizations fail to act, even when presented with good reasons to believe their security is compromised? In a blog post recounting his efforts to convince Panera their data was exposed, Houlihan argues that companies need to be more receptive of security reporting, and held accountable when they put PR ahead of remediation.

At D3, we think having the right tools in place can make the process of closing an outstanding vulnerability as easy as possible, resulting in faster action and less risk. From our perspective as incident response orchestration and case management software providers, here are a few features that could be particularly useful:


  • Root cause analysis and remediation workflows. Overwhelmed by the sheer volume of incoming alerts, security teams often become purely reactive. This can lead to similar incidents recurring again and again because the problems behind them are not addressed. With root cause analysis, response workflows extend to ensure that underlying vulnerabilities are found and resolved.
  • Human- and machine-driven orchestration. Orchestration across machines to accelerate incident response is getting a lot of attention in the industry, but equally important is the ability to orchestrate human actions, through tools like automated notifications, alerts, and playbooks. Orchestration tools make it less likely that a security flaw will be left outstanding, by applying proven response procedures that leave little room for human error or communication failures.
  • Cross-department collaboration. Taking an entire website down to fix a vulnerability, as Panera ultimately had to do, isn’t just a security decision. Incidents with this level of complexity will often require input from other groups within the company, including legal, compliance, HR, and senior management. Unfortunately, many security tools silo off data, making it difficult to coordinate response across departments. D3 remedies this with features to communicate beyond the SOC and give outside parties access to relevant subsets of data.

If you want to learn more about the features that help organizations react fast and conclusively to security incidents, check out our product guide. We’ll see you back here next month for a new Data Breach of the Month.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.