EXECUTIVE SUMMARY:

For at least eight months. Panera Bread, the baker and cafe chain, leaked sensitive customer data, which included names, birth dates, email and physical addresses, and the last four digits of credit cards–potentially giving hackers an easy score of valuable information. And that was despite having been warned about the issue.

The data was easily accessible on Panera’s website, according to Brian Krebs. “The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com,” writes Krebs in his blog KrebsonSecurity.

Krebs was contacted by a security researcher who first found the leak in August, after attempts to get Panera to fix the issue seemed to go nowhere.

As Krebs looked into the problem he found that the data could be indexed and crawled by automated tools. “For example, some of the customer records include unique identifiers that increment by one for each new record, making it potentially simple for someone to scrape all available customer accounts. The format of the database also lets anyone search for customers via a variety of data points, including by phone number,” explains Krebs.

Panera issued a statement saying it had fixed the problem within two hours of being contacted by Krebs. But, as Krebs pointed out, it’s unclear why the company didn’t address the leak when it was originally contacted by the researcher in August.

Krebs estimates that the number of customer records could be as high as seven million. However, after the story was published on KrebsonSecurity, Panera downplayed the incident to Fox News, saying only 10,000 customer records were exposed.

Get the full story at KrebsonSecurity.