Panera Bread locations across the country suffered a days-long network outage over the weekend. The outage started on Saturday and continued through Monday. By Tuesday morning, services were partially restored, but reports indicated that the company’s loyalty program was still offline. During the outage, Panera’s website directed customers to walk into a restaurant location and order the old-fashioned way, at the counter.
Store employees and managers say they haven’t received an explanation for the outage; Panera hasn’t offered comment to any media outlets about the trouble either. Of course, online rumors thrive in the absence of information. Plenty of posts speculated about some sort of malicious attack, others joked that an intern might have tripped over a cable.
It’s been over a decade since Panera installed its first kiosks; over a decade of training customers on the convenience of in-store ordering screens. It’s push to direct customers to place orders on the app came later, but it’s not a stretch to say that most of Panera’s decisions, from its coffee and drinks subscription to its revamped loyalty program, revolved around all-important digital connectivity.
Tech is firmly ensconced in the everyday restaurant experience. And as evidenced by Panera’s long and disruptive outage, restaurant companies that have rebuilt operations around technology become especially vulnerable when that tech fails.
Before I continue, here’s a reminder that Panera has not offered an explanation for the attack, and online rumors of a cyberattack are just online rumors.
When some McDonald’s locations outside the US went offline a few weeks ago, the restaurant chain was quick to issue a statement. The outage was caused by a third-party provider, a representative said. The rep also made a point to add that the trouble was not related to any type of cyberattack.
Several months ago, I reported a story about an alleged cyberattack on an East Coast food business. Apparently, some people said, the company fell victim to ransomware.
Like its name suggests, a ransomware attack infects a computer or network, restricting access to data — holding it for ransom — until a sum of money is paid, usually in crypto. Attackers typically gain access through phishing attempts, sending victims urgent-sounding emails or text messages that appear legitimate and seem to require immediate action. Once a victim clicks on the malicious link, malware locks their computer and potentially spreads to other systems until they pay up.
That story was ultimately killed — no one would go on record confirming that it was, in fact, a ransomware attack and as we’ve established, rumors thrive in the absence of information. (In a statement, the company in question did confirm “unauthorized and unlawful access” to its systems, but refused to answer detailed questions.)
I write this to underscore an important point about online attacks that compromise businesses: not talking about online malfeasance is a problem in itself.
In a 2023 report on internet crime, the FBI determined that ransomware attacks, in particular, are underrepresented in statistics. When it broke into one ransomware network, for example, it discovered that only 20 percent of the network’s victims reported the crimes. Still, that year, businesses reported over 2,000 ransomware attacks with a financial loss approaching $60 million.
That’s probably because admitting you’ve been a victim of this type of crime can be embarrassing. Seriously — ask me about the time I gave my bank password to a stranger over the phone. Just yesterday, one of the most popular food-related newsletters on this platform spammed its mailing list with “an urgent message regarding your property.” It happens, even to those of us who think it never will.
“Anyone can be the victim of a ransomware attack,” Valecia Stocchetti, a senior cybersecurity engineer at the Center for Internet Security told me in an interview last year as I reported my original ransomware story. Most security experts, including the FBI, encourage businesses not to pay attackers to discourage them from continued attacks. “Our stance is not to pay it, but it also comes down to the business and what they need to do to survive,” Stocchetti said. “You’re basically at the mercy of the attacker, which is unfortunate.”
Again: I’m not asserting that Panera was the victim of any online attack.
I am asserting that it’s prudent to consider any and all threats to businesses that rely on digital connectivity to survive.
Panera’s digital channels seem to be up and working now. In the meantime, it has fallen prey to another online blunder, though this one’s more relatable: In a promo image on its website Tuesday, Panera invited visitors to take a sneak peak at the company’s new menu, set to launch next month.
I feel you, Panera copywriter. We’ve all been there.
It’s a podcast!
It’s true, Expedite — well, me, Kristen — is back in your airpods on a podcast called The Simmer. My co-host is Bite CEO Brandon Barton, who’s worked in restaurant tech longer than I’ve covered it. I respect his insight and opinions, even when I don’t agree, and have always loved our industry-focused conversations. So it was an easy yes when he suggested we record them as a podcast, inviting some of the smartest people we know to join us.
The first episode, a conversation with PAR Technology’s CEO, Savneet Singh, live on Spotify now; expect a new one every two weeks. You can look forward to future conversations with guests including Will Guidara, Debby Soo, Noah Glass, Chip Wade and others. Give it a listen!
Re hacking of POS systems, a friend in hospo payment tech said it’s happening ‘all the time’ but usually kept under the covers. Lots we don’t hear about…
Hey Kristen, will you be making the podcast available on an RSS feed outside of Spotify? I listen to podcasts on Overcast and would love to add your podcast there