U.S. food chain giant Panera Bread is notifying employees of a data breach after unknown threat actors stole their sensitive personal information in a March ransomware attack.
The company and its franchises own 2,160 cafes under the names Panera Bread or Saint Louis Bread Co, spread across 48 states in the U.S. and Ontario, Canada.
In breach notification letters filed with the Office of California’s Attorney General, Panera said it detected what it describes as a “security incident,” took measures to contain the breach, hired external cybersecurity experts to investigate the incident, and notified law enforcement.
“The files involved were reviewed, and on May 16, 2024, we determined that a file contained your name and Social Security number,” the company said [PDF].
“Other information you provided in connection with your employment could have been in the files involved. As of the date of mailing of this letter, there is no indication that the information accessed has been made publicly available.”
Panera says it will provide those affected by this data breach with a one-year membership to CyEx’s Identity Defense Total, which includes credit monitoring, identity detection, and identity theft resolution.
The company has yet to publicly disclose the number of employees impacted, the threat actor behind the attack, and the nature of the incident.
Breached in a ransomware attack, causing a week-long outage
While the food giant has yet to confirm this publicly, BleepingComputer reported in early April that many of Panera’s virtual machine systems were encrypted in a ransomware attack.
As a result of this breach, Panera suffered a massive outage that affected its internal IT systems, phones, point of sales system, website, and mobile apps.
During this widespread system outage, employees could not access their shift details and had to contact their managers to learn work schedules.
Stores were also unable to process electronic payments and had to accept cash only, while reward program systems were down, preventing members from redeeming their points.
However, it’s unclear which ransomware operation was behind the March breach, as none have claimed responsibility. This implies that the threat actors are either waiting for a ransom payment or have already received it.
Panera has not responded to multiple requests for comment from BleepingComputer regarding the outage and the March ransomware attack.