Panera Bread's website had a security flaw that exposed customers' data for at least eight months, according to the cybersecurity blog KrebsOnSecurity.
The vulnerability on the bakery-cafe chain's website meant customers' names, emails, addresses, birthdays and the last four digits of their credit card numbers were not safeguarded, despite a security researcher flagging the issue to Panera last August, cybersecurity expert Brian Krebs wrote in a blog post on Monday.
Dylan Houlihan, the researcher who spotted the potential data exposure, told Krebs he repeatedly followed up after alerting Panera of his findings — but the problem was not addressed until Krebs reached out to the company on Monday.
The customers' data was never subject to any deliberate hacks; Houlihan, who did not immediately return a request for comment from NBC News, was simply pointing out how easily the data could have been abused because it wasn't protected.
But his repeated efforts to get Panera to better protect its customers' data were ignored, he said, until Krebs brought attention to it.
In a lengthy post on Medium, Houlihan, who is the managing principal of the New York-based security consulting practice Breaking Bits, posted what he said were screenshots of an email exchange with Panera Bread’s information security director, Mike Gustavison.
"There is a security vulnerability on the delivery.panerabread.com website that exposes sensitive information belonging to every customer who has signed up for an account to order Panera Bread online," Houlihan wrote on Aug. 2, 2017. "This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number. Moreover, the customers are easily enumerable which means an attacker could crawl through all the records."
The screenshots show Gustavison initially replying that he thought Houlihan's email was a scam, but a couple days later, Gustavison responded, "We are working on a resolution." Houlihan, who discovered the issue while using Panera's delivery site himself, said he continued to check whether there had been a fix and continued to follow up with Panera.
It's unclear how many customer records were at risk. Krebs wrote that there were "millions," while Panera said there were under 10,000.
The company's website was briefly taken down Monday after Krebs' blog post was published. Panera said its site was down to repair an issue "following reports today of a potential problem."
"Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved," John Meister, chief information officer of Panera Bread, said in a statement sent to CNBC. "Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps."
Panera did not immediately respond to a request for comment from NBC News.
Missouri-based Panera has more than 2,000 locations across North America. Questions over how well it safeguarded its customers' data came just days after a data beach compromised customer payment data at retailers Lord & Taylor and Saks.