Panera Bread
ST. LOUIS — A woman is suing Panera Bread, alleging it failed to implement reasonable data security measures, which lead to a data breach in 2025 that exposed the personal information of millions of customers.
The complaint, filed Feb. 9 in the U.S. District Court for the Eastern District of Missouri, was brought by Bonnie Jones, on behalf of herself and a proposed nationwide class of individuals whose data was potentially compromised.
According to the complaint, Panera, a national fast-casual restaurant chain that operates company-owned and franchised bakery-cafés across the United States, collects and stores large amounts of personally identifiable information through in-store purchases, online ordering, its mobile application and its MyPanera customer loyalty program.
The data collected includes customers’ names, email addresses, phone numbers, mailing addresses, account login credentials and payment information.
The lawsuit alleges that in or around late 2025, unauthorized third parties gained access to Panera’s computer systems and obtained sensitive personal information maintained by the company.
The breach allegedly stemmed from Panera’s failure to implement and maintain reasonable data security safeguards appropriate to the nature and sensitivity of the information it collected.
The complaint states that a cybercriminal group known as ShinyHunters claimed responsibility for compromising Panera’s information systems and stealing customer data.
According to the filing, the group claimed to have taken more than 14 million records, or approximately 760 megabytes of compressed data, containing personally identifiable information such as names, email and home addresses, phone numbers and account details.
The group allegedly stated that the breach was facilitated through a compromise of Panera’s Microsoft Entra single sign-on authentication infrastructure.
Jones, a member of the MyPanera rewards program and user of the MyPanera app, alleges she was required to provide her name, phone number, email address and home address to participate and place mobile orders.
She claims she has suffered injuries as a result of the breach, including time and effort spent monitoring accounts for fraudulent activity, loss of privacy and an increased risk of identity theft and fraud.
The complaint further alleges that affected individuals face a heightened and ongoing risk that their information could be misused for financial fraud, identity theft, phishing attacks or other criminal purposes.
The lawsuit asserts that Panera failed to notify impacted individuals of the breach in a timely manner, preventing them from taking steps to protect themselves. It further alleges that Panera did not offer identity theft monitoring or identity theft protection services to customers following the incident.
In the complaint, Jones argues that Panera knew or should have known that its systems were attractive targets for cybercriminals and that it was required to implement reasonable data security measures.
The suit cites guidance and enforcement actions from the Federal Trade Commission concerning businesses’ obligations to safeguard consumer data.
It contends that Panera failed to maintain an adequate data security system, failed to adhere to industry standards for cybersecurity, failed to properly monitor its systems for intrusions and failed to adequately train employees in the handling of sensitive information.
The complaint alleges that the breach could have been prevented or minimized had Panera properly secured and encrypted sensitive information and maintained reasonable data retention policies.
It claims that the company’s conduct violated Section 5 of the Federal Trade Commission Act, which prohibits unfair practices in or affecting commerce, forming the basis for the negligence per se claim.
Jones seeks damages, injunctive relief and a jury trial, asserting claims of negligence and negligence per se under federal law. She is represented by Don M. Downing and Morry S. Cole of Gray Ritter Graham; and Brian C. Budmindson, Michael J. Laird and Madison M. DeMaris of Zimmerman Reed.
U.S. District Court for the Eastern District of Missouri case number: 4:26-cv-00198
