Data Security at Panera

The exposure or potential exposure of any customer data is not acceptable to Panera. We take responsibility for the reported issues and are working hard to make it right with our guests.

After the initial reporting in early April 2018, two external firms with expertise in digital forensics and data security matters, Crowdstrike and NTP Cybersecurity, were engaged to conduct independent investigations into the extent of potential exposure of customer data.

All of the reported issues have been repaired. As part of the investigation, we identified fewer than 10,000 consumer records that were accessed and we’ve found nothing to indicate that full credit or debit numbers, passwords or PINs were exposed. We are contacting affected guests individually to notify them of the data in their accounts that may have been accessed. 

We have taken a hard look to understand why there was a delay in resolving this issue after it was first reported to us. This delay is unacceptable, and we are introducing several new processes to ensure it does not happen again. This includes redefining our methods of prioritization and escalation of security issues, creating a formal security reporting process for independent researchers, and investing in new tools to protect our web properties and data.

John Meister
Chief Information Officer