Panera Bread Company has been hit with a proposed class action over a potential security breach the St. Louis-based sandwich franchise acknowledged earlier this week. According to the lawsuit, cyber-security website Krebs on Security published a blog post on April 2, 2018 reporting that “millions of customer records – including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number” had been exposed on Panera’s website “for at least eight months,” subjecting customers to an increased risk of identity theft.
The lawsuit argues that the defendant failed its initial duty to protect customers’ data and then neglected to properly investigate the issue and alert customers when it learned their information may have been exposed.
Whose Information Was Potentially Leaked?
Affected individuals, according to the case, include those who signed up for the MyPanera rewards program or ordered food for pickup using the company’s website or smartphone app. The lawsuit claims these customers’ personal identifying information, which they were required to enter into the defendant’s database, was “negligently or recklessly exposed to hackers and/or unknown nefarious third parties.”
How Long Were the Records Allegedly Exposed?
The lawsuit claims customers’ information has been accessible for at least eight months, and possibly even longer. According to the complaint, a security researcher alerted Panera’s director of information security of the potential breach back in August 2017 and was told that the team was “working on a resolution.” The man supposedly continued checking the site in the following months and saw “[no] indication that Panera ever addressed the issue.”
The suit also notes an even earlier warning from a Panera customer who claims he informed the company in May 2007 that his Panera rewards account had been compromised, but, in his words, “they blew me off.”
Has Panera Warned Customers of the Potential Breach?
In short, no, the lawsuit alleges. Shortly after Krebs on Security published its blog post, the company reportedly released a written statement to Fox News assuring the public that the “issue is resolved” but has still not fully disclosed the details of the leak to its customers or its impact at time of publication.
“Upon information and belief,” the complaint reads, “Panera has taken no other efforts since discovering the security breach to inform customers that their Personal Identifying Information was leaked and/or compromised.”
How Does the Data Breach Affect Panera Customers?
The case claims Panera customers now face “years of constant surveillance of their financial and personal records,” plus the costs of repairing any damages caused by fraudulent use of their information. From the complaint:
As a direct and proximate result of Panera’s wrongful action and inaction and the resulting data breach, Plaintiffs and [proposed class members] have been placed at an imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the subject data breach on their lives by, among other things, placing ‘freezes’ and ‘alerts’ with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, and closely reviewing and monitoring their credit reports and accounts for unauthorized activity.”
The full complaint can be read below: