Panera Bread
Company Details
Linkedin ID:
panera-bread
Employees number:
42,855
Number of followers:
207,587
NAICS:
7225
Industry Type:
Homepage:
panerabread.com
IP Addresses:
0
Company ID:
PAN_3523675
Scan Status:
In-progress
Internal validation & live display
Multiple badges & continuous verification
Faster underwriting decisions
Panera Bread Vendor Cyber Rating & Cyber Score
panerabread.comOur first bakery-cafe opened in 1987, founded with a secret sourdough starter and the belief that the best part of bread is sharing it. That vision led to the invention of the Fast Casual category with Panera at the forefront, centered around our delicious menu of chef-curated recipes that are crafted with care by our team members. We make food that we are proud to serve our own families, from crave-worthy soups, salads and sandwiches to mac & cheese and sweets. Each recipe is filled with ingredients we feel good about and none of those we don't because we are committed to serving our guests food that feels good in the moment and long after. While our company is now more than 2,200 bakery-cafes strong, our values and belief in the lasting power of a great meal remain as strong as ever. Nothing beats breaking bread together. We believe in serving delicious, freshly prepared food made with carefully selected ingredients that we are proud to serve our own families. Our menu, crafted by chefs and bakers, features classic, comforting dishes, each with an intriguing twist. We’re also focused on improving quality and convenience. With investments in technology and operations, we offer omni-channel access to your Panera favorites – like mobile ordering, catering, and Rapid Pick-Up® for to-go orders, Curbside pick-up and delivery – all designed to make things easier for our guests. Today, Panera operates as both Panera Bread® or Saint Louis Bread Co St. Louis Bread Company in 48 states, the District of Columbia and Canada. To find a location in your area, click here. Panera Bread is privately held by JAB Holding Company. Panera Bread is part of Panera Brands, one of the largest fast casual restaurant platforms in the U.S., comprised of Panera Bread®, Caribou Coffee® and Einstein Bros.® Bagels.
Panera Bread A.I CyberSecurity Scoring
Panera Bread Risk Score (AI oriented)Between 550 and 599
Panera Bread
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Panera Bread Global Score (TPRM)XXXX
Panera Bread
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Panera Bread Company CyberSecurity News & History
Past Incidents
5
Attack Types
2
Microsoft Entra CommunityCrunchBase, Panera Bread, Match Group and Bumble: Bumble, Match, Panera Bread and CrunchBase hit by cyberattacks, Bloomberg News reports
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: Cyberattacks Target Bumble, Match, Panera Bread, and CrunchBase Several high-profile companies including dating platforms Bumble and Match, food chain Panera Bread, and corporate data provider CrunchBase were hit by cyberattacks, according to a Bloomberg News report on Wednesday. The incidents, confirmed by company spokespersons, varied in scope and impact. Bumble stated that the intruders did not access its member database, accounts, direct messages, or profiles. Similarly, Match Group, parent company of Tinder, reported that a limited amount of user data was affected, though login credentials, financial information, and private communications remained secure. CrunchBase disclosed that documents on its corporate network were compromised but contained the breach. Panera Bread confirmed an incident involving contact information and notified authorities. The attacks highlight ongoing cybersecurity risks across industries, with companies emphasizing containment efforts and minimal exposure of sensitive data. No further details on the attackers or their motives were provided.
Panera Bread, Edmunds and CarMax: ShinyHunters claims Panera Bread in alleged data theft
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. According to claims reviewed by *The Register* and shared on the dark web, the group exfiltrated over 14 million records from Panera Bread including names, email addresses, phone numbers, and account details totaling 760 MB of compressed data. CarMax and Edmunds were also reportedly breached, with 500,000+ records (1.7 GB) and "millions" of records (12 GB), respectively, containing similar personally identifiable information (PII). ShinyHunters stated it accessed Panera’s systems via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches stemmed from earlier, unrelated intrusions. The group’s claims align with previous activity by Scattered Lapsus$ Hunters, a linked threat actor that posted CarMax data on a now-defunct leak site last fall, citing compromises in Salesforce environments. The campaign extends beyond these three companies. Last week, ShinyHunters added Crunchbase, SoundCloud, and Betterment to its list of victims, claiming over 50 million records stolen in total. Access to Crunchbase and Betterment was reportedly gained through voice-phishing attacks targeting Okta SSO credentials, a tactic Okta warned about in recent advisories. Betterment confirmed an unauthorized intrusion on January 9, where attackers used social engineering to access third-party marketing platforms and send fraudulent crypto-related messages to customers. Security researchers have observed the group’s expanding operations. Silent Push reported that ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations in the past 30 days, though it remains unconfirmed how many attacks succeeded. Meanwhile, Mandiant is tracking a "new, ongoing ShinyHunters-branded campaign" leveraging voice-phishing to harvest SSO credentials. None of the named companies Panera Bread, CarMax, Edmunds, Crunchbase, or Betterment have publicly responded to the claims. Microsoft and Google stated they had no indication their products were directly affected by the phishing campaign. The incidents underscore the growing threat of social engineering attacks bypassing multi-factor authentication (MFA) to compromise corporate systems.
Panera Bread
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Panera Bread suffered a major data breach exposing sensitive customer information, including Social Security numbers, addresses, birth dates, and passcodes, from 73 million accounts (current and former customers). The breach occurred in two phases: March 30, 2024, and July 12, 2024, with hackers downloading data from a third-party cloud platform and leaking it on the dark web. The incident led to consolidated state and federal lawsuits, alleging negligence in cybersecurity measures. Customers faced risks of identity theft, fraud, and financial losses, with compensation claims categorized into tiers: up to $500 for ordinary losses (e.g., credit monitoring), $2,500 for time spent resolving issues, and $6,500 for documented extraordinary losses. The breach severely damaged customer trust and exposed the company to legal and reputational consequences.
Panera, LLC
Ransomware
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: The Washington State Office of the Attorney General reported that Panera, LLC experienced a cybersecurity incident on March 23, 2024, affecting approximately 811 Washington residents. The breach, identified as a ransomware attack, involved unauthorized access to files that included names and Social Security numbers.
Panera Bread
Breach
Rankiteo Explanation
Attack with significant impact with customers data leaks
Description: Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants suffered a data breach incident. the breach compromised information including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number. The data was left exposed for at least eight months before it was yanked offline.
Panera Bread Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Panera Bread
Incidents vs Restaurants Industry Average (This Year)
Panera Bread has 100.0% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Panera Bread has 70.94% more incidents than the average of all companies with at least one recorded incident.
Incident Types Panera Bread vs Restaurants Industry Avg (This Year)
Panera Bread reported 2 incidents this year: 0 cyber attacks, 0 ransomware, 0 vulnerabilities, 2 data breaches, compared to industry peers with at least 1 incident.
Incident History — Panera Bread (X = Date, Y = Severity)
Panera Bread cyber incidents detection timeline including parent company and subsidiaries
Panera Bread Company Subsidiaries
Our first bakery-cafe opened in 1987, founded with a secret sourdough starter and the belief that the best part of bread is sharing it. That vision led to the invention of the Fast Casual category with Panera at the forefront, centered around our delicious menu of chef-curated recipes that are crafted with care by our team members. We make food that we are proud to serve our own families, from crave-worthy soups, salads and sandwiches to mac & cheese and sweets. Each recipe is filled with ingredients we feel good about and none of those we don't because we are committed to serving our guests food that feels good in the moment and long after. While our company is now more than 2,200 bakery-cafes strong, our values and belief in the lasting power of a great meal remain as strong as ever. Nothing beats breaking bread together. We believe in serving delicious, freshly prepared food made with carefully selected ingredients that we are proud to serve our own families. Our menu, crafted by chefs and bakers, features classic, comforting dishes, each with an intriguing twist. We’re also focused on improving quality and convenience. With investments in technology and operations, we offer omni-channel access to your Panera favorites – like mobile ordering, catering, and Rapid Pick-Up® for to-go orders, Curbside pick-up and delivery – all designed to make things easier for our guests. Today, Panera operates as both Panera Bread® or Saint Louis Bread Co St. Louis Bread Company in 48 states, the District of Columbia and Canada. To find a location in your area, click here. Panera Bread is privately held by JAB Holding Company. Panera Bread is part of Panera Brands, one of the largest fast casual restaurant platforms in the U.S., comprised of Panera Bread®, Caribou Coffee® and Einstein Bros.® Bagels.
Loading...
Panera Bread Similar Companies
The year is 1954. Dave and Jim*, two budding entrepreneurs, are on a mission to re-design the perfect broiler, one that will infuse flame-grilled goodness into every burger. And that's how our brand was born. Today the Burger King Corporation, its affiliates and its franchisees collectively operat
KFC
We’re KFC. The iconic, brand making world-famous finger lickin’ good fried chicken since 1952. Our unrivaled people and culture are the true heart and soul of our brand. It’s where our people promise comes to life every day. Where our employees can be their best selves, make a difference, and have f
Brinker International
Dallas-based Brinker International, Inc. is one of the world’s leading casual dining restaurant companies. Founded in 1975, Brinker owns, operates or franchises more than 1,600 restaurants across 29 countries and two territories under the names Chili’s® Grill & Bar and Maggiano’s Little Italy®. O
Raising Cane's Chicken Fingers
Founded by Todd Graves in 1996 in Baton Rouge, La., RAISING CANE'S CHICKEN FINGERS has over 800 restaurants in 41 states, with many new restaurants under construction. The company has ONE LOVE®—craveable chicken finger meals—and is continually recognized for its unique business model and customer sa
Chick-fil-A Corporate Support Center
At its Atlanta headquarters, known as the Corporate Support Center, Chick-fil-A, Inc. offers full-time careers in various fields such as Digital Transformation & Technology, Financial Services & Accounting, Enterprise Analytics, Restaurant Development, Early Talent Programs and more. Our team of mor
Jack in the Box
Jack in the Box has always been the place for those who live outside the box. Where you can try new things and order what you want when you want it. Now, let’s get to the facts! Did you know Jack in the Box was founded on February 21, 1951, by a businessman named Robert O. Peterson in San Diego, Cal
Domino's
Domino’s is a purpose-inspired, performance-driven company powered by exceptional people who are committed to feeding the power of possible—one pizza at a time. Founded in 1960 with a single store in Ypsilanti, Michigan, Domino’s has grown into one of the most recognized and leading pizza brands in
GRSA
GRSA - Soluções em Alimentação e em Serviços de Suporte Oferecer soluções de alimentação saudáveis e equilibradas, com os mais altos padrões de qualidade e de Acordo com as necessidades de cada cliente. Estamos presentes em empresas, escolas, hospitais, terminais de passageiros e em locais re
Popeyes Louisiana Kitchen
Founded in New Orleans in 1972, POPEYES® has more than 45 years of history and culinary tradition. Popeyes distinguishes itself with a unique New Orleans-style menu featuring spicy chicken, chicken tenders, fried shrimp, and other regional items. The chain's passion for its Louisiana heritage and fl
.png)
Panera Bread CyberSecurity News
February 25, 2026 08:00 AM
Con Watch: Panera Bread, the ShinyHunters Data Breach, and Class Action Lawsuits
Recently, the hacking group ShinyHunters stole personal information from 5 million customers of Panera Bread. Were you one of them?
February 25, 2026 08:00 AM
Major CarGurus data breach reportedly sees 1.7 million corporate records stolen
Online car marketplace CarGurus is allegedly the latest company to fall prey to ShinyHunters' vishing attacks.
February 23, 2026 08:00 AM
Panera faces multiple lawsuits following data breach
Customers seeking class-action status argue in court that the fast-casual chain failed to protect their personal information, even after.
February 20, 2026 08:00 AM
Panera Bread Faces Legal Action After January 2026 Customer Data Breach Claims
Two class action lawsuits have been filed against Panera Bread, alleging the company failed to properly secure customer data during a...
February 19, 2026 08:00 AM
Panera Bread data breach exposes 5.1M customers
Panera Bread data breach affects 5.1 million customers after ShinyHunters claims it stole customer records including names and email...
February 18, 2026 08:00 AM
Panera Bread data breach exposes 5.1 million customers
Panera Bread confirms a data breach affecting 5.1 million people after stolen customer contact data was leaked online by hackers.
February 03, 2026 08:00 AM
Hackers Leak 5.1 Million Panera Bread Records
The ShinyHunters extortion group has leaked 14 million records allegedly stolen from US bakery-cafe chain Panera Bread.
February 03, 2026 08:00 AM
Panera Bread data breach much more serious than we thought - over 5 million customers were hit, new reports claim
ShinyHunters breached Panera Bread, stealing 14 million records of customer data; Actual impact closer to 5.1 million users,...
February 03, 2026 08:00 AM
Panera Bread data breach affects 5.1 million accounts, not 14 million
The ShinyHunters extortion gang claimed to have stolen data from over 14 million Panera Bread user accounts in late January.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Panera Bread CyberSecurity History Information
Official Website of Panera Bread
The official website of Panera Bread is https://www.panerabread.com/en-us/home.html.
Panera Bread’s AI-Generated Cybersecurity Score
According to Rankiteo, Panera Bread’s AI-generated cybersecurity score is 559, reflecting their Very Poor security posture.
How many security badges does Panera Bread’ have ?
According to Rankiteo, Panera Bread currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Has Panera Bread been affected by any supply chain cyber incidents ?
According to Rankiteo, Panera Bread has been affected by multiple supply chain cyber incidents. The affected supply chain sources and their corresponding incident IDs are:
- Microsoft Entra Community (Incident ID: PANEDMCAR1769547392)
- Microsoft Entra Community (Incident ID: PAN3962339111225)
Does Panera Bread have SOC 2 Type 1 certification ?
According to Rankiteo, Panera Bread is not certified under SOC 2 Type 1.
Does Panera Bread have SOC 2 Type 2 certification ?
According to Rankiteo, Panera Bread does not hold a SOC 2 Type 2 certification.
Does Panera Bread comply with GDPR ?
According to Rankiteo, Panera Bread is not listed as GDPR compliant.
Does Panera Bread have PCI DSS certification ?
According to Rankiteo, Panera Bread does not currently maintain PCI DSS compliance.
Does Panera Bread comply with HIPAA ?
According to Rankiteo, Panera Bread is not compliant with HIPAA regulations.
Does Panera Bread have ISO 27001 certification ?
According to Rankiteo,Panera Bread is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Panera Bread
Panera Bread operates primarily in the Restaurants industry.
Number of Employees at Panera Bread
Panera Bread employs approximately 42,855 people worldwide.
Subsidiaries Owned by Panera Bread
Panera Bread presently has no subsidiaries across any sectors.
Panera Bread’s LinkedIn Followers
Panera Bread’s official LinkedIn profile has approximately 207,587 followers.
NAICS Classification of Panera Bread
Panera Bread is classified under the NAICS code 7225, which corresponds to Restaurants and Other Eating Places.
Panera Bread’s Presence on Crunchbase
Yes, Panera Bread has an official profile on Crunchbase, which can be accessed here: https://www.crunchbase.com/organization/panera-bread.
Panera Bread’s Presence on LinkedIn
Yes, Panera Bread maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/panera-bread.
Cybersecurity Incidents Involving Panera Bread
As of April 02, 2026, Rankiteo reports that Panera Bread has experienced 5 cybersecurity incidents.
Number of Peer and Competitor Companies
Panera Bread has an estimated 4,932 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Panera Bread ?
Incident Types: The types of cybersecurity incidents that have occurred include Breach and Ransomware.
How does Panera Bread detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an communication strategy with customer notifications via settlement administrators, communication strategy with public disclosure of breach details, communication strategy with settlement website for claims, and law enforcement notified with panera bread notified authorities, and containment measures with contained the breach (crunchbase)..
Incident Details
Can you provide details on each incident ?
Title: Panerabread.com Data Breach
Description: Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants suffered a data breach incident. The breach compromised information including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number. The data was left exposed for at least eight months before it was yanked offline.
Type: Data Breach
Title: Panera, LLC Ransomware Attack
Description: The Washington State Office of the Attorney General reported that Panera, LLC experienced a cybersecurity incident on March 23, 2024, affecting approximately 811 Washington residents. The breach, identified as a ransomware attack, involved unauthorized access to files that included names and Social Security numbers.
Date Detected: 2024-03-23
Type: Ransomware Attack
Title: Panera Bread Data Breach (2024)
Description: A major data breach at Panera Bread exposed sensitive customer information, including addresses, Social Security numbers, birth dates, and passcodes, affecting approximately 73 million accounts. The compromised data was found on a dark web dataset, leading to consolidated state and federal lawsuits. Two incidents were reported: one on March 30, 2024, and another on July 12, 2024, involving a third-party cloud platform. A class action lawsuit settlement offers compensation to affected customers, with claims due by November 11, 2025.
Date Detected: 2024-03-30
Date Publicly Disclosed: 2024-03-302024-07-12
Type: Data Breach
Attack Vector: Unauthorized access to customer databaseThird-party cloud platform compromise
Vulnerability Exploited: Inadequate cybersecurity measures (alleged)
Motivation: Likely financial (data sold on dark web)
Title: ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More
Description: The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. The group exfiltrated over 14 million records from Panera Bread, 500,000+ records from CarMax, and millions of records from Edmunds, containing personally identifiable information (PII). The breaches were reportedly achieved via Microsoft Entra SSO code exploitation, earlier intrusions, and voice-phishing attacks targeting Okta SSO credentials.
Type: Data Breach
Attack Vector: Phishing (Voice-Phishing)Exploitation of SSO VulnerabilitiesSocial Engineering
Vulnerability Exploited: Microsoft Entra SSO CodeOkta SSO CredentialsSalesforce Environments
Threat Actor: ShinyHunters (linked to Scattered Lapsus$ Hunters)
Motivation: Extortion, Data Theft for Sale on Dark Web
Title: Cyberattacks Target Bumble, Match, Panera Bread, and CrunchBase
Description: Several high-profile companies including dating platforms Bumble and Match, food chain Panera Bread, and corporate data provider CrunchBase were hit by cyberattacks. The incidents varied in scope and impact, with companies emphasizing containment efforts and minimal exposure of sensitive data.
Type: data_breach
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
How does the company identify the attack vectors used in incidents ?
Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Microsoft Entra SSO CodeOkta SSO CredentialsVoice-Phishing.
Impact of the Incidents
What was the impact of each incident ?
Incident : Data Breach PAN2122261122
Data Compromised: Names, Email addresses, Physical addresses, Birthdays, Last four digits of credit card numbers
Incident : Ransomware Attack PAN520072525
Data Compromised: Names, Social security numbers
Incident : Data Breach PAN3962339111225
Data Compromised: Addresses, Social security numbers, Birth dates, Passcodes, Customer account details
Systems Affected: Customer databaseThird-party cloud platform
Customer Complaints: Multiple (led to class action lawsuit)
Brand Reputation Impact: Significant (lawsuits, settlement, public disclosure)
Legal Liabilities: Class action lawsuitConsolidated state and federal lawsuitsSettlement payments (up to $6,500 per claimant)
Identity Theft Risk: High (SSNs, birth dates, and passcodes exposed)
Incident : Data Breach PANEDMCAR1769547392
Data Compromised: Personally Identifiable Information (PII), Account Details, Customer Records
Systems Affected: Microsoft Entra SSOOkta SSOSalesforce EnvironmentsThird-Party Marketing Platforms
Operational Impact: Unauthorized Access to Corporate Systems, Fraudulent Customer Communications
Brand Reputation Impact: Potential Damage Due to Data Exposure and Fraudulent Activities
Identity Theft Risk: High (Exposure of Names, Email Addresses, Phone Numbers, Account Details)
Incident : data_breach MATBUMCRUPAN1770710058
Data Compromised: varied
What types of data are most commonly compromised in incidents ?
Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Names, Email Addresses, Physical Addresses, Birthdays, Last Four Digits Of Credit Card Numbers, , Names, Social Security Numbers, , Personally Identifiable Information (Pii), Sensitive Authentication Data, , Names, Email Addresses, Phone Numbers, Account Details, , User Data (Match Group), Contact Information (Panera Bread), Corporate Documents (Crunchbase) and .
Which entities were affected by each incident ?
Incident : Data Breach PAN2122261122
Entity Name: Panera Bread
Entity Type: Company
Industry: Food and Beverage
Location: United States
Incident : Ransomware Attack PAN520072525
Entity Name: Panera, LLC
Entity Type: Company
Industry: Food and Beverage
Location: Washington
Customers Affected: 811
Incident : Data Breach PAN3962339111225
Entity Name: Panera Bread
Entity Type: Bakery-cafe chain
Industry: Food and Beverage / Retail
Location: United States (nationwide)
Size: Large (millions of customers)
Customers Affected: 73,000,000 (estimated)
Incident : Data Breach PANEDMCAR1769547392
Entity Name: Panera Bread
Entity Type: Corporation
Industry: Food & Beverage
Customers Affected: 14 million records
Incident : Data Breach PANEDMCAR1769547392
Entity Name: CarMax
Entity Type: Corporation
Industry: Automotive
Customers Affected: 500,000+ records
Incident : Data Breach PANEDMCAR1769547392
Entity Name: Edmunds
Entity Type: Corporation
Industry: Automotive
Customers Affected: Millions of records
Incident : Data Breach PANEDMCAR1769547392
Entity Name: Crunchbase
Entity Type: Corporation
Industry: Technology (Business Information)
Incident : Data Breach PANEDMCAR1769547392
Entity Name: SoundCloud
Entity Type: Corporation
Industry: Technology (Music Streaming)
Incident : Data Breach PANEDMCAR1769547392
Entity Name: Betterment
Entity Type: Corporation
Industry: FinTech
Incident : data_breach MATBUMCRUPAN1770710058
Entity Name: Bumble
Entity Type: dating platform
Industry: Technology/Dating Services
Incident : data_breach MATBUMCRUPAN1770710058
Entity Name: Match Group
Entity Type: parent company of Tinder
Industry: Technology/Dating Services
Customers Affected: limited amount of user data
Incident : data_breach MATBUMCRUPAN1770710058
Entity Name: Panera Bread
Entity Type: food chain
Industry: Food & Beverage
Customers Affected: contact information
Incident : data_breach MATBUMCRUPAN1770710058
Entity Name: CrunchBase
Entity Type: corporate data provider
Industry: Technology/Data Services
Customers Affected: documents on corporate network
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Data Breach PAN3962339111225
Communication Strategy: Customer notifications via settlement administratorsPublic disclosure of breach detailsSettlement website for claims
Incident : data_breach MATBUMCRUPAN1770710058
Law Enforcement Notified: Panera Bread notified authorities
Containment Measures: contained the breach (CrunchBase)
Data Breach Information
What type of data was compromised in each breach ?
Incident : Data Breach PAN2122261122
Type of Data Compromised: Names, Email addresses, Physical addresses, Birthdays, Last four digits of credit card numbers
Personally Identifiable Information: namesemail addressesphysical addressesbirthdays
Incident : Ransomware Attack PAN520072525
Type of Data Compromised: Names, Social security numbers
Number of Records Exposed: 811
Sensitivity of Data: High
Incident : Data Breach PAN3962339111225
Type of Data Compromised: Personally identifiable information (pii), Sensitive authentication data
Number of Records Exposed: 73,000,000
Sensitivity of Data: High (SSNs, birth dates, passcodes)
Data Exfiltration: Confirmed (data found on dark web)
Personally Identifiable Information: NamesAddressesSocial Security numbersBirth datesPasscodes
Incident : Data Breach PANEDMCAR1769547392
Type of Data Compromised: Names, Email addresses, Phone numbers, Account details
Number of Records Exposed: 14 million (Panera Bread), 500,000+ (CarMax), Millions (Edmunds), 50+ million (Total Across All Victims)
Sensitivity of Data: High (PII, Account Credentials)
Incident : data_breach MATBUMCRUPAN1770710058
Type of Data Compromised: User data (match group), Contact information (panera bread), Corporate documents (crunchbase)
Personally Identifiable Information: contact information (Panera Bread)
How does the company handle incidents involving personally identifiable information (PII) ?
Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by contained the breach (crunchbase).
Ransomware Information
Was ransomware involved in any of the incidents ?
Incident : Data Breach PANEDMCAR1769547392
Data Exfiltration: True
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Data Breach PAN3962339111225
Legal Actions: Class action lawsuit, State and federal lawsuits (consolidated),
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class action lawsuit, State and federal lawsuits (consolidated), .
References
Where can I find more information about each incident ?
Incident : Ransomware Attack PAN520072525
Source: Washington State Office of the Attorney General
Date Accessed: 2024-03-23
Incident : Data Breach PAN3962339111225
Source: Panera Bread Data Breach Settlement Website
Incident : Data Breach PAN3962339111225
Source: Class Action Lawsuit Filings (State and Federal)
Incident : Data Breach PANEDMCAR1769547392
Source: The Register
Incident : Data Breach PANEDMCAR1769547392
Source: Silent Push
Incident : Data Breach PANEDMCAR1769547392
Source: Mandiant
Incident : Data Breach PANEDMCAR1769547392
Source: Okta Advisories
Incident : data_breach MATBUMCRUPAN1770710058
Source: Bloomberg News
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Washington State Office of the Attorney GeneralDate Accessed: 2024-03-23, and Source: Panera Bread Data Breach Settlement Website, and Source: Class Action Lawsuit Filings (State and Federal), and Source: The Register, and Source: Silent Push, and Source: Mandiant, and Source: Okta Advisories, and Source: Bloomberg News.
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Data Breach PAN3962339111225
Investigation Status: Ongoing (settlement pending Final Fairness Hearing on January 29, 2026)
Incident : Data Breach PANEDMCAR1769547392
Investigation Status: Ongoing
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Customer Notifications Via Settlement Administrators, Public Disclosure Of Breach Details and Settlement Website For Claims.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Data Breach PAN3962339111225
Stakeholder Advisories: Customers notified via settlement administrators; public deadlines communicated (claims due by November 11, 2025).
Customer Advisories: Eligible customers instructed to file claims by November 11, 2025, for compensation (up to $6,500 for extraordinary losses, $500 for ordinary losses).
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Customers notified via settlement administrators; public deadlines communicated (claims due by November 11, 2025)., Eligible customers instructed to file claims by November 11, 2025, for compensation (up to $6,500 for extraordinary losses and $500 for ordinary losses)..
Initial Access Broker
How did the initial access broker gain entry for each incident ?
Incident : Data Breach PAN3962339111225
High Value Targets: Customer database (PII and authentication data)
Data Sold on Dark Web: Customer database (PII and authentication data)
Incident : Data Breach PANEDMCAR1769547392
Entry Point: Microsoft Entra Sso Code, Okta Sso Credentials, Voice-Phishing,
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Data Breach PAN3962339111225
Root Causes: Alleged failure to implement adequate cybersecurity measures
Incident : Data Breach PANEDMCAR1769547392
Root Causes: Exploitation Of Sso Vulnerabilities, Social Engineering (Voice-Phishing), Compromised Third-Party Platforms,
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an ShinyHunters (linked to Scattered Lapsus$ Hunters).
Incident Details
What was the most recent incident detected ?
Most Recent Incident Detected: The most recent incident detected was on 2024-03-23.
What was the most recent incident publicly disclosed ?
Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-03-30.
Impact of the Incidents
What was the most significant data compromised in an incident ?
Most Significant Data Compromised: The most significant data compromised in an incident were names, email addresses, physical addresses, birthdays, last four digits of credit card numbers, , names, Social Security numbers, , Addresses, Social Security numbers, Birth dates, Passcodes, Customer account details, , Personally Identifiable Information (PII), Account Details, Customer Records and varied.
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Customer databaseThird-party cloud platform and Microsoft Entra SSOOkta SSOSalesforce EnvironmentsThird-Party Marketing Platforms.
Response to the Incidents
What containment measures were taken in the most recent incident ?
Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident was contained the breach (CrunchBase).
Data Breach Information
What was the most sensitive data compromised in a breach ?
Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Customer account details, Personally Identifiable Information (PII), Account Details, Customer Records, Passcodes, Addresses, varied, names, last four digits of credit card numbers, email addresses, Social Security numbers, Birth dates, physical addresses and birthdays.
What was the number of records exposed in the most significant breach ?
Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 87.5M.
Regulatory Compliance
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class action lawsuit, State and federal lawsuits (consolidated), .
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are Washington State Office of the Attorney General, Okta Advisories, Silent Push, Panera Bread Data Breach Settlement Website, Class Action Lawsuit Filings (State and Federal), Bloomberg News, Mandiant and The Register.
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (settlement pending Final Fairness Hearing on January 29, 2026).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Customers notified via settlement administrators; public deadlines communicated (claims due by November 11, 2025)., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued were an Eligible customers instructed to file claims by November 11, 2025, for compensation (up to $6,500 for extraordinary losses and $500 for ordinary losses).
Initial Access Broker
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Alleged failure to implement adequate cybersecurity measures, Exploitation of SSO VulnerabilitiesSocial Engineering (Voice-Phishing)Compromised Third-Party Platforms.
.png)
Latest Global CVEs (Not Company-Specific)
Description
A vulnerability was found in Nothings stb up to 1.26. Impacted is the function stbtt_InitFont_internal in the library stb_truetype.h of the component TTF File Handler. Performing a manipulation results in out-of-bounds read. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Risk Information
cvss2
Base: 5.0
Severity: LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
cvss4
Base: 5.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read in VS6ComFile!get_macro_mem_COM. Opening a crafted V7 file may lead to information disclosure from the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6MemInIF!set_temp_type_default. Opening a crafted V7 file may lead to information disclosure from the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Description
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6ComFile!load_link_inf. Opening a crafted V7 file may lead to information disclosure from the affected product.
Risk Information
cvss3
Base: 7.8
Severity: LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
cvss4
Base: 8.4
Severity: LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=panera-bread' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
