A major U.S. and Canadian foodservice operator, Panera Bread, was allegedly hacked by the hacking group Shiny Hunters. The hackers claimed to have stolen nearly 14 million records relating to employees and customers. Samples of the stolen data reviewed by Cybernews researchers appear to be authentic and contain personally identifiable information (PII) that can be used for a variety of types of attacks such as, but limited to, identity theft, account takeover, tax fraud, and spear phishing.
The leaked information apparently includes:
Full Names
Usernames
Work Email Address
Personal Email Address
Phone Numbers
Home Addresses
Dates of Birth
Shiny Hunters posted Panera Bread to their forum on the Dark Web and claimed to have gained access to a large database containing PII of customers and employees. researchers reviewed the sample data released by Shiny Hunters and found that the data does indeed appear to be legitimate and contains information that would allow someone to steal identities or commit other forms of fraud.
This type of data can be used for identity theft, to create fraudulent accounts using the victim’s name, to file taxes in the victim’s name, and to use spear phishing tactics to gain access to the victim’s computer system. Panera Bread is the largest casual dining restaurant chain in North America, operates more than 2,000 restaurants and employs over 140,000 people.
When contacted for comment regarding this story, Panera Bread did not respond. Once we receive a formal response from Panera Bread, this article will be updated. Shiny Hunters is one of the most prolific hacking groups known for stealing millions of dollars’ worth of corporate data through numerous high-profile hacks throughout the world. In addition to the Salesforce CRM hack that affected many thousands of companies last year, Shiny Hunters also hacked into the systems of many other companies in 2020.
Restaurant chains are attractive hacking targets because of the enormous amount of data about customers and employees that they maintain, often in highly distributed and complex computing environments.
If true, the Panera Bread hack could have disastrous consequences for those whose data was breached and for the company itself. The size of the alleged data breach shows how service and retail businesses continue to be plagued by serious cyber security risks and how personally identifiable data remains a primary goal for cyber thieves.
