Panera Bread this week became the latest company hit by a data breach, acknowledging customer information was vulnerable on its company website for at least eight months.
The records belonged to customers who had registered for the MyPanera program to order food online. The details exposed included their names, email and physical addresses, birthdays and the last four digits of user credit card numbers, according to the security news site KrebsOnSecurity. Customers’ Panera loyalty card numbers also were exposed, KrebsOnSecurity reported, which scammers potentially could abuse to spend prepaid accounts.
On Tuesday, Panera estimated that fewer than 10,000 customers had been affected by the leak. KrebsOnSecurity put the number at closer to 37 million, though experts say the true number of compromised records may never be fully known.
Panera did not return a request for comment or for clarification on the nature of the data breach.
Chris Hoofnagle, a professor of information and law at the University of California at Berkeley, said companies want access to personal information but often are unwilling to pay the price of ensuring its protection.
“Security is difficult and expensive, and no one wants to do it,” Hoofnagle said.
“There’s the miracle of making it possible that you can order a sandwich (online). That’s hard enough. And then people come along and say, What about security?”