Panera Bread Possibly Shelled Out a Hefty Ransom During Destructive March Ransomware Assault

Did Panera Bread Pay a Ransom?

It’s highly likely that Panera Bread, a popular American fast-food chain, paid a ransom after a recent ransomware attack, according to the language used in an internal email sent to employees.

Last week, Panera started sending data breach notifications to employees, warning them that their personal information, including names and social security numbers, had been stolen in a March cyberattack.

While Panera hasn’t publicly disclosed attack details, we first reported that the company suffered a ransomware attack, encrypting all of its virtual machines and disrupting their website, phone systems, mobile app, point-of-sale, and internal systems for a week.

We later learned that one of their storage servers wasn’t encrypted in the attack, allowing the company to rebuild and restore servers from backups. Interestingly, no ransomware gang claimed responsibility for the attack or leaked stolen data, which might indicate that a ransom was paid.

On Thursday, as data breach notifications were being emailed, an alleged employee claimed on Reddit that Panera paid a ransom to ensure the hackers deleted the stolen data and didn’t leak it publicly.

“This probably will not make it far, but just got out of a corporate meeting where they broke to us that all our data has been stolen since march and they paid the hackers to “not release” its employees data,” reads the Reddit thread by an alleged Panera employee.

An internal email from Panera Senior Vice President KJ Payette was shared by the anonymous employee, which supports the ransom payment claim, stating that Panera obtained assurances that stolen data was deleted and wouldn’t be published.

“Please note that we obtained assurances that the information involved was deleted and will not be published. As of now, there is no indication that the information accessed has been made publicly available,” reads an internal Panera email sent to employees.

Ransomware Attacks and Stolen Data

In ransomware attacks, threat actors breach a company and stealthily spread throughout its network while stealing corporate data. After gaining administrative privileges on the network, they deploy the encryptor to encrypt all devices.

Threat actors use stolen data and encrypted files as leverage to force companies to pay a ransom. In return, they promise to provide a decryptor and delete any data stolen during the attack.

It’s highly unlikely that Panera could receive assurances that data was deleted and wouldn’t be published unless it came directly from the threat actors after a ransom demand was paid. Additionally, even if law enforcement managed to intercept the server hosting the data, there’s no way of knowing if the threat actors stored a copy of the data elsewhere.

Unfortunately, paying a ransom doesn’t guarantee the complete deletion of stolen data. Past incidents have shown that threat actors don’t always keep their promises, and data has been sold to other threat actors, leaked on data leak sites, or used to extort the company again.

This was seen recently with the BlackCat ransomware attack on United Healthcare. The company paid a $22 million ransom demand to receive a decryptor and have stolen data deleted. However, after BlackCat stole the ransom payment without paying the affiliate behind the attack, the affiliate stated they never deleted the data and extorted United Healthcare again, threatening to sell the data to other threat actors unless another payment was made.

To prove they still held the data, the threat actors leaked samples on another ransomware gang’s data leak site, Ransom Hub. Eventually, the data leak for United Healthcare disappeared from this data leak site, indicating another ransom was likely paid.

For this reason, ransomware negotiators have advised us in the past that companies should never pay a ransom to delete stolen data, as there’s no guarantee this will be done.

We contacted Panera Bread to confirm if they paid the ransom but didn’t receive a response.

Stay Informed and Protected

Cyber threats are constantly evolving, and it’s crucial to stay informed and prepared. We’re here to help. Keep coming back to learn more about the latest cybersecurity developments, trends, and best practices to protect your personal and business data. Together, we can stay one step ahead of the cybercriminals.