BleepingComputer reports that U.S. bakery-cafe fast food restaurant chain Panera Bread was accused by a purported employee of having fulfilled its attackers' demanded ransom from an intrusion in late March that resulted in the encryption of all its virtual machines just as the chain delivered breach notifications detailing the theft of employees' names, Social Security numbers, and other personal information.
In a post on Reddit, the anonymous employee alleged that a ransom was paid by Panera Bread to avoid the public exposure of employee data, with the claim supported by an internal email from Panera Senior Vice President KJ Payette noting assurances from the hackers that the compromised data was deleted. Panera Bread has yet to respond to the claims.
Organizations impacted by cyber incidents have long been discouraged to pay ransoms as payments do not guarantee total deletion of stolen data as observed in the recent BlackCat ransomware attack against Change Healthcare, with the firm's parent UnitedHealth Group being repeatedly extorted even after paying the $22 million ransom.
