Panera Bread did nothing about its customer data vulnerability for eight months
First, the proof that I reported this, and the beginning of the timeline. I reported this vulnerability in August 2017, which is shown by the following email exchange with Panera Bread’s Information Security Director, Mike Gustavison. After attempting to contact them through a generic security@panerabread.com email address (which bounced), Twitter and even LinkedIn and email messages to Mike Gustavison (whose information I found on LinkedIn), I was formally introduced by an industry contact who had a mutual connection.
Source: medium.com