Panera Failed to Fix Data Breach, Lawsuit Alleges

Panera Bread Co. faces a putative class action alleging that a data breach exposed the personal data of thousands of customers to hackers, increasing their risk of fraud and identity theft. Boykin v. Panera Bread Co., No. 18-2461 (N.D. Ill., filed April 5, 2018). The complaint alleges that the company failed to protect the personally identifiable information of Panera’s My Rewards card and My Panera app users, including names, credit and debit card numbers, expiration dates and verification codes, email addresses, telephone numbers and birth dates.

In August 2017, a “white-hat hacker” apparently accessed the information and notified Panera about the potential security breach. Although Panera reportedly told the hacker it was developing a solution, the complaint alleges that the hacker “checked it every month or so” and ultimately contacted the publisher of Krebs on Security in 2018 to bring attention to the issue. The plaintiffs assert that in the meantime, Panera took no steps to warn customers of the possible breach and “failed to implement or maintain reasonable security procedures.”

Claiming violations of the Illinois Personal Information Protection Act, the Illinois Consumer Fraud and Deceptive Practices Act, intrusion upon seclusion, breach of contract, negligence and the right of privacy, plaintiffs seek class certification, equitable relief, restitution, disgorgement, damages and attorney’s fees.