Panera Bread has confirmed that it suffered a ransomware attack earlier this year.
The company sent a data breach notification letter to affected customers earlier this week, confirming that some sensitive customer information was stolen from the company's servers.
According to the notification letter, the company discovered the attack on March 23, 2024, after which it hired an external cybersecurity company to address the issue and investigate the incident. The company also notified police, he said.
Identity theft monitoring
Almost two months later, in mid-May 2024, investigators concluded their investigation and confirmed that people's names, as well as social security numbers (SSN), were stolen in the attack.
“Other information you provided in connection with your employment could have been in the files involved,” Panera said.
Other details are unknown at the moment. We contacted Panera to find out who the threat actors were, how many people were affected by the incident, and how much money the attackers demanded in exchange for the decryption key and keeping the data private.
Panera says there is no evidence so far that the stolen information was disclosed anywhere online. Given the wording of the letter, it is possible that Panera expects the data to be leaked, which could happen in the event that it refused to pay the ransom.
Affected customers received a one-year membership to CyEx's Identity Defense Total, a product that offers credit monitoring, identity detection, and identity theft resolution.
“Enrolling in this program will not affect your credit score,” Panera concluded.
The ransomware attack was disruptive enough to attract media attention. In early April, beepcomputer reported that the Panera incident affected its internal IT systems, phones, point-of-sale system, website and mobile applications. In fact, while the attack was ongoing, employees were unable to access their shift details and were forced to accept only cash.