Panera is warning employees that their data may have been compromised due to a cyberattack
Panera Bread has confirmed that it suffered a ransomware attack earlier this year.
The company sent a data breach notification letter to affected customers earlier this week, confirming that sensitive customer information had been stolen from company servers.
According to the notification letter, the company discovered the attack on March 23, 2024, after which it engaged a third-party cybersecurity firm to remediate the problem and investigate the incident. The company has also alerted police, the company said.
Identity theft monitoring
Nearly two months later, in mid-May 2024, investigators concluded their investigation and confirmed that people’s names and Social Security Numbers (SSN) had been stolen in the attack.
“Other information you provided in connection with your employment could have been included in the affected files,” Panera said.
Other details are not yet known. We contacted Panera to find out who the threat actors were, how many people were affected by the incident, and how much money the attackers demanded in exchange for the decryption key and keeping the data private.
Panera says there is no evidence yet that the stolen information is being released anywhere online. Given the wording of the letter, Panera may be expecting the data to leak, which could happen if the company refuses to pay the ransom.
Affected customers received a one-year membership to CyEx’s Identity Defense Total, a product that provides credit monitoring, identity detection and identity theft resolution.
“Enrolling in this program will not hurt your credit score,” Panera concluded.
The ransomware attack was disruptive enough to attract media attention. In early April, BleepingComputer reported that the Panera incident affected its internal IT systems, phones, cash register system, website and mobile apps. While the attack was underway, employees were unable to even access their shift records and were forced to accept only cash.