Six plaintiffs bring this class action against Panera Bread Company for allegedly leaving their personal identifying information available in plain text. Panera not properly safeguard this information, the complaint claims, and after it was informed of the problem, it ignored it for eight months. The complaint alleges that the information included names, credit or debit account numbers, card expiration dates, card verification codes, e-mails, telephone numbers, and so on.
The Nationwide Class for this action is all Panera customers who created (a) a Panera Rewards card account or (b) an account using the Internet and smartphone MyPanera app to order food for pickup. Various state classes may also be proposed.
Customers were required to surrender personal information when setting up the Panera Rewards or MyPanera accounts and may have updated the information when using the accounts. The information was easy to exploit, the complaint claims, because the accounts were assigned sequential numbers which allowed them to be “indexed and crawled by automated tools with very little effort.” Also, the complaint says the database allowed searches to be performed by a number of data points, such as telephone numbers.
On August 2, 2017, security researcher Dylan Houlihan contacted Panera to warn it that the information was readily available online. Panera’s director of information security, Mike Gustavison, seems initially to have thought Houlihan’s e-mail was a scam but a week later thanked him and told him that “we are working on a resolution.”
Houlihan later said, “The flaw never disappeared. I checked on it every month or so because I was pissed.” When eight months had passed, he finally decided to go public with the information and contacted the website Krebs on Security, which posted an article on April 2, 2018. The website was taken offline the same day and the information was removed.
Panera claimed to have fixed the problem within less than two hours after it was notified by Krebs on Security, but, said the article, “Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with Houlihan.”
The counts in the complaint include violations of the Illinois Personal Information Protection Act and Consumer Fraud and Deceptive Business Practices Act as well as the tort of intrusion upon seclusion, breach of contract, negligence, and violation of the right of privacy.