Panera Bread is the latest consumer brand to report a significant data breach. The company has confirmed a cybersecurity incident after the hacking group ShinyHunters claimed to have stolen millions of customer records, raising serious concerns for anyone who has interacted with the bakery chain.
The breach revealed various personal details, and it’s, well, troubling, especially for those who have ordered or created an account. ShinyHunters originally asserted they had stolen over 14 million records, which included names, email addresses, phone numbers, and home addresses.
In response, Panera acknowledged the breach, referring to the compromised data as customer “contact information.” They stated they have contacted law enforcement and taken measures to address the situation but did not disclose how the attack happened or advise customers on what actions to take.
Even though the term “contact information” may sound benign, it can lead to identity theft and sophisticated phishing scams. ShinyHunters claimed they accessed Panera’s systems through Microsoft Entra single sign-on (SSO), a claim Panera has not confirmed. This aligns with warnings from Okta about an increase in voice phishing attacks targeting SSO systems.
Initially, it appeared that 14 million customers were at risk, but research later revealed that this count represented the total records stolen rather than unique individuals. Estimates suggest around 5.1 million unique customers were affected, which, while nuanced, still indicates a significant risk. Once data is out there, it tends to circulate quickly among criminals, making recovery tough.
ShinyHunters allegedly attempted to blackmail Panera before releasing the data online after their efforts failed, subsequently putting a 760MB archive of customer records on a leak site. This shift in tactics among cybercriminals focuses more on stealth and data theft than traditional ransomware attacks.
The breach has already led to legal actions. Multiple class action lawsuits have emerged, alleging that Panera did not do enough to protect customer data, seeking damages and improved security measures. This isn’t the first time Panera has faced scrutiny over security; back in 2018, a cybersecurity researcher pointed out that they had exposed millions of records online, which also resulted in legal consequences.
Managing security risks at scale can be challenging for large organizations. When attackers exploit identity platforms instead of focusing solely on infrastructure, a single misstep can lead to widespread data breaches.
Here are some steps you might consider to protect yourself following the breach:
1) Create strong, unique passwords.
Immediately reset your Panera password if you have an account. Password managers can aid in generating unique passwords and securely storing them.
2) Enable two-factor authentication (2FA).
This can help add an extra layer of security to your accounts, making access harder for potential attackers.
3) Be cautious with emails.
Cybercriminals might send fake emails following a breach. Double-check sender details and avoid clicking links when unsure.
4) Limit personal information sharing.
Identity theft risks increase when personal details are exposed. Consider using identity theft protection services.
5) Reduce your digital footprint.
Consider data deletion services that help remove your information from online sites, thus minimizing your visibility to fraudsters.
6) Safeguard your email account.
Your email can be crucial for resetting passwords. Make sure to secure it with a strong password and enable 2FA.
7) Stay alert about account changes.
Watch for unusual activity post-breach, like unexpected password resets or profile changes. If you notice something off, change your password promptly.
In conclusion, the Panera Bread data breach is a stark reminder that even well-known brands can fall victim to cyberattacks. While the company claims only “contact information” was involved, this data can facilitate various forms of fraud long after the news cycle fades. Staying proactive after such incidents has become increasingly crucial in our digital age.
Have your views on sharing personal data with big brands changed after learning about repeated breaches? Feel free to share your thoughts.
