Technology

Panera Bread's digital outage reportedly blamed on ransomware attack

Cybersecurity site BleepingComputer.com said the company's virtual machines were encrypted by cyber attackers, resulting in the three-day outage. The report cites unnamed sources and internal emails.
Panera Bread
During the outage, Panera Bread's kiosks said they were down for maintenance. | Photo by Lisa Jennings.

Panera Bread’s mysterious digital channel outage in March was the result of a ransomware attack.

That’s according to cybersecurity site BleepingComputer.com, which on Friday reported that a ransomware attack at Panera encrypted many of the company’s virtual machines, preventing access to data and applications.

BleepingComputer cites people familiar with the matter and internal emails but does not specify the evidence.

Panera officials, meanwhile, have not responded to multiple requests about the outage since it was first reported on March 22—and that silence has continued to fuel speculation that the incident was the result of a cyberattack.

The fast-casual chain’s website and app were down or hampered from Saturday, March 23 through Tuesday, March 26, along with in-store kiosks, though guests could still order at the registers.

Cashiers, however, couldn’t access the loyalty program and anyone who said they were an Unlimited Sip Club member was offered a free drink because team members could not access accounts. Catering and gift card sales were also impacted. Employees reportedly couldn’t access schedules.

By the following Tuesday, the digital systems were restored. Loyalty members were sent an email offering a procedure for earning rewards points missed while the digital channels were down.

For Panera, it was particularly bad timing. The chain was preparing for a menu overhaul the following week and parent company Panera Brands has been setting the stage for a potential initial public offering.

Still, it wouldn’t be the first time Panera has experienced a data breach.

In 2018, the chain’s website reportedly leaked customer data, including names, emails, addresses, birthdates and the last four digits of credit card numbers, for at least eight months before it was yanked offline, according to the site KrebsonSecurity.com.

Such attacks are a growing problem for restaurant companies that rely increasingly on technology and digital data.

Sean Deuby, a technology security analyst with Semperis, said such attacks/disruptions often lead to tens of millions of dollars spent recovering.

“Modern businesses that employ just-in-time supply chains are especially vulnerable to a disruption in that chain because there’s little to no inventory to act as a buffer against the disruption,” he said.

“In addition to restoring operations, a major concern for Panera Bread and other companies that face ransomware attacks is protecting customer and employee data,” Deuby added. “They must be examining to what extent the hackers have breached their systems.”

Companies can improve their resiliency to such attacks by knowing what their critical systems are, including infrastructure such as Active Directory, which should be monitored for unauthorized changes, he said.

They can also make their organizations difficult to compromise, since hackers tend to look for softer targets.

 

Members help make our journalism possible. Become a Restaurant Business member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.

Multimedia

Exclusive Content

Financing

In Red Lobster, a symbol of the challenges with casual dining

The Bottom Line: Consumers have shifted dining toward convenience or occasions, and that has created havoc for full-service restaurant chains. How can these companies get customers back?

Financing

Crumbl may be the next frozen yogurt, or the next Krispy Kreme

The Bottom Line: With word that the chain’s unit volumes took a nosedive last year, its future, and that of its operators, depends on what the brand does next.

Technology

4 things we learned in a wild week for restaurant tech

Tech Check: If you blinked, you may have missed three funding rounds, two acquisitions, a “never-before-seen” new product and a bold executive poaching. Let’s get caught up.

Trending

More from our partners