Some 37 million customers of the Panera Bread Co. may have had their personal information stolen after it was disclosed that the cafe chain left the data exposed on its servers in plain text for all and sundry to download.

The data breach was discovered by security researcher Dylan Houlihan. He said in a post on Medium Monday that he informed the company of the data being publicly accessible in August last year but has only gone public on the matter now as Panera, eight months later, had taken zero action to secure the data at hand.

The data includes the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card, according to Houlihan. All that could be accessed in bulk by any user who had signed up for an account.

Worse still, after initially dismissing Houlihan’s report of the data breach as a hoax, Panera subsequently admitted the breach and said it would be dealt with, but did absolutely nothing to fix it.

Panera denied the extent of the data breach, telling Fox News that “our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

Roy Feintuch, co-founder and chief technology officer of Dome9 Security Inc., told SiliconANGLE that the Panera Bread incident is a textbook example of security crisis mismanagement.

“What we’re seeing is poor application security design that exposes internal resources, compounded by poor incident response, negligence and pure lies,” Feintuch said. “Even after the data exposure was purportedly fixed, folks were able to find open ports” using simple queries.

Photo: jeepersmedia/Flickr