Krebs On Security is reporting that Panerabread.com has leaked millions of customer records including:
- Names
- E-mail adresses
- Physical addresses
- Birthdays
- Last four digits of customers credit card numbers
- Customer loyalty numbers were also exposed
That data was available in plain text on the Panera website. Something that we’ve continually advocated for was tougher penalties for companies that have consumer data breached. At this stage it’s obvious that companies aren’t taking the threat of data breaches seriously enough. Panera is a prime example of this, they were first alerted to this issue in August, 2017. Earlier today we reported on another data breach, this time of Saks/Lord & Taylor. If you think your data has been breached, we’d recommend following this guide.
Seriously fuck this shit. They don’t even use EMV chip readers at the Panera I go to. 8 months…wtf
I’m in the process of deleting and replacing all of my subscription, payment, and other credit card fields with tokenized numbers.
Either jointoken and privacy.com will give tokenize your card numbers and generate a new one. Tried them both a few times in the past and they all worked, but honestly was too lazy until this past week to actually actively replace all my other information.
Another reason to NEVER use your real birthday with these crap companies.
Agreed!
I use a birthdate that’s +/- 7 days or +/-2 months of my real birthday.
This year I’ve been receiving a ton of spam calls on my cell. All the data breaches must me the culprit. Fortunately Mr. Number app catch them all and I can easily block the calls.
Does this affect people who walked in and bought stuff like I did last week with my credit card? Or does this affect people who actually have an account there?
The timing makes sense. Last year Panera added pins to their gcs – previously, there were thousands of deeply discounted non-pin e-gcs available (30+% off) and it was clear they were being fraudulently generated. Then about a year ago they stopped accepting any gcs w/out pins and the supply of gcs dropped dramatically (as did the very deep discounts). I used to buy them knowing full-well the non-pin gcs had to be fraudulent – same guys would be selling hundreds of Panera gcs at big discounts. I talked to Panera CS one time and they knew all about it, just didn’t seem to care much out fixng the issue. Not a surprise the rest of their IT security totally sucked as well.
I suspect all companies have been hacked – they just don’t know it, or refuse to admit it.
So…..the hackers have my reward number, and can now use it to get me….more rewards?
Or drain your balance.
This is classic “their director of info security – was senior director of security operations at Equifax until 2013 ”
What a Shocker!
https://twitter.com/briankrebs
I’m so sorry to write this on your blog Will but
We are Fucked!
I read the article. Their in charge for IT security person was notified eight months ago, and did not do anything to correct the issue. I mean, WTF! How can people this dumb end up with good jobs like that? When the HQ was made aware they just tried a quick patch, claimed all good now, and when called out that there was still an issue, took the website offline.
I like their food for the prices they have but, no more business from me until the dickheads are fired and they show some decent investment in security.
As far as execs go Equifax’s IT exec during the breach being a music major is hard to beat…
He is the same dude!
A music major has nothing to do with poor IT policy and management. I was a humanities major working corporate IT at an investment bank. We took security seriously, all the way up the line. They don’t care what your background is so long as you’re good at your job, which clearly Equifax’s IT team was not.
The Krebs article says that some Panera Customer Lotalty #s were exposed. Suggests prepaid amounts or rewards could have been siphoned from accounts if they had that #.
Let me add that in.