Ransomware, Data Security, Privacy

Ransomware demand allegedly paid by Panera Bread

What if we made paying the ransom illegal?

BleepingComputer reports that U.S. bakery-cafe fast food restaurant chain Panera Bread was accused by a purported employee of having fulfilled its attackers' demanded ransom from an intrusion in late March that resulted in the encryption of all its virtual machines just as the chain delivered breach notifications detailing the theft of employees' names, Social Security numbers, and other personal information.

In a post on Reddit, the anonymous employee alleged that a ransom was paid by Panera Bread to avoid the public exposure of employee data, with the claim supported by an internal email from Panera Senior Vice President KJ Payette noting assurances from the hackers that the compromised data was deleted. Panera Bread has yet to respond to the claims.

Organizations impacted by cyber incidents have long been discouraged to pay ransoms as payments do not guarantee total deletion of stolen data as observed in the recent BlackCat ransomware attack against Change Healthcare, with the firm's parent UnitedHealth Group being repeatedly extorted even after paying the $22 million ransom.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.