Security researcher Brian Krebs with KrebsOnSecurity says Panera Bread's website leaked millions of customer records containing a plethora of personal information, with the data made available in plain text.
Krebs reports that anyone could search for customer information including phone number, email address, physical address or loyalty account number.
The Krebs site says it wouldn't be all that hard for hackers to get ahold of the data.
An independent security analyst told KrebsOnSecurity.com that he'd warned Panera about the breach in August 2017. It was initially thought that only seven million or so customer records were exposed but further research has reportedly found that the vulnerability extends to Panera's commercial division, one that serves many catering companies. This time it's Panera Bread that's reporting a possible data leak.
'Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved'.
According to Houlihan, the researcher checked for a resolution to the problem every month or so, but "the flaw never disappeared".
A representative from Panera did not respond immediately to a request for comment from MONEY. KrebsOnSecurity said the incremenatal customer numbers indexed by the site suggest that the number may be higher than 7 million, and it's also uncertain whether Panera customer account passwords may have been impacted.
Houlihan wrote that Gustavison, the information security director at Panera he corresponded with in August, was senior director of security operations at Equifax from 2009 to 2013. Company officials claim less than 10,000 customers were affected by the leak.
Before publishing details of the problem, Krebs spoke to Panera Bread's CIO John Meister, and the website was soon afterwards briefly taken down for "essential system maintenance".