A Breakdown in Trust: The Panera Bread Breach and SOC 2 Security Implications

Key Takeaways:

• SSO Vulnerabilities: The breach of Microsoft Entra SSO at Panera Bread highlights how compromising a single authentication point can grant attackers access to multiple critical systems.
• Advanced Vishing Tactics: Attackers leveraged spoofed calls, IT helpdesk impersonation, and phishing sites to steal credentials and manipulate users in real time.
• Human Factor Weakens MFA Protections: Despite MFA, social engineering enabled attackers to bypass controls by convincing users to authenticate malicious access.
• SOC 2 Enables Proactive Security and Resilience: Implementing SOC 2 Security criteria helps organizations identify risks, enforce controls, continuously monitor systems, and respond effectively to incidents.

---

In January 2026, ShinyHunters, a cybercrime group, reported that it had infiltrated Panera Bread and stolen customer and employee data. Panera confirmed that the breach was a compromise in Microsoft Entra’s Single Sign-On (SSO).

The successful voice phishing (vishing) exploit of the SSO allowed the attackers to access Panera Bread systems, and it took Panera a week to get its IT infrastructure up and working. During that week, Panera could not access its business applications, and employees could not access their schedules.

How Did It Happen?

Panera did not share details of how the attack was accomplished; however, Okta published a warning about the sophistication of voice phishing. In the warning, Okta explains the sophistication of vishing kits used to steal SSO credentials from users and bypass Multifactor Authentication (MFA).

In the scheme, the threat actor uses impersonated sites and impersonates a trusted source such as IT Helpdesk. The impersonator calls up a user using a spoofed Caller ID with a script such as IT Helpdesk needing them to upgrade their security setting. The IT Helpdesk impersonator directs the user to navigate to the user’s browser, which is in reality a phishing webpage, and enter their SSO credentials. From there, the impersonator places themself between the user and the legitimate site and steals the SSO credentials to sign into the legitimate site and observe the MFA method. Then, the attacker walks the user through prompts that have the user authenticating the attacker’s access into the legitimate site.

SOC 2: The Offense

The best defense is offense – proactive and preventative.

The SOC 2 (Systems and Organizations Controls 2) framework was developed and governed by the AICPA to evaluate how well an organization protects customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is required and is the Common Criteria which the other Trust Services Criteria are built upon.

The Security Trust Criteria helps an organization identify the areas of risks to their systems, establish policies and procedures to ensure a strong security posture, continuously monitor to detect problems, and a plan for security incidents if they occur. And then, the organization must prove that they are doing all those things. Complying with this framework helps an organization prevent security problems and recover in the event of failure.

McKonly & Asbury’s SOC and HITRUST teams are available to assist your organization in evaluating what assessment report best fits your needs. For more information, be sure to visit our System and Organization Controls (SOC) service page HITRUST service page, and don’t hesitate to contact Dave Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA with further questions regarding HITRUST, SOC reports, and our services.

This article was written by SOC Staff Alexis Hershberger under supervision of Director Lynnanne Bocchi.

About the Author

Related Services