Panera warns employees their data may have been leaked following cyberattack

(Image credit: Shutterstock / binarydesign)

Panera Bread has confirmed suffering a ransomware attack earlier this year. 

The company sent out a data breach notification letter to affected customers earlier this week, confirming some sensitive customer information was stolen from company servers.

As per the notification letter, the company discovered the attack on March 23, 2024, after which it brought in a third-party cybersecurity firm to remedy the problem and investigate the incident. The company also notified the police, it said.

Identity theft monitoring

Almost two months later, in mid-May 2024, the researchers concluded their investigation and confirmed that people’s names, as well as Social Security Numbers (SSN), were stolen in the attack. 

“Other information you provided in connection with your employment could have been in the files involved,” Panera said. 

Other details are unknown at this time. We have reached out to Panera to learn who the threat actors were, how many people were affected by the incident, and how much money the attackers demanded in exchange for the decryption key and keeping the data private. 

Panera says that so far there is no evidence of the stolen information being released anywhere online. Given how the letter is worded, it could be that Panera expects the data to leak, which could happen in case it declined to pay the ransom. 

Affected customers received a year-long membership to CyEx’s Identity Defense Total, a product that offers credit monitoring, identity detection and resolution of identity theft.

“Enrolling in this program will not hurt your credit score,” Panera concluded.

The ransomware attack was disruptive enough to draw the attention of the media. In early April, BleepingComputer reported that the Panera incident affected its internal IT systems, phones, point of sales system, website, and mobile apps. In fact, while the attack was ongoing, employees could not access their shift details, and were forced to accept cash only.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.