February 2026 Breach Roundup: Panera, Substack, Japan Airlines, and What They Have in Common

February 2026 has produced a cluster of significant data breaches across unrelated industries. The affected organizations span restaurant chains, media platforms, airlines, and energy infrastructure. The common thread is not the attack vector or the threat actor. It is the detection gap, the time between initial compromise and discovery.

Panera Bread: 5.1 Million Records

The ShinyHunters group claimed responsibility for a January 2026 attack on Panera Bread that compromised 5.1 million customer accounts. The stolen data includes names, email addresses, phone numbers, and physical addresses. Panera refused the ransom demand, and ShinyHunters published a 760 MB archive of the stolen data. Multiple class action lawsuits have been filed.

The operational detail that matters for enterprise security teams: the attack targeted customer account data stored in a system that appears to have lacked adequate monitoring for bulk data access. Exfiltrating 5.1 million records generates detectable network activity, large query volumes against a database, transfer of data to external destinations, and access patterns inconsistent with normal application behavior. The fact that this activity was not caught before the exfiltration was complete suggests either inadequate monitoring or alert fatigue in the security operations center.

Substack: Four Months of Undetected Access

The Substack breach is the most instructive case for enterprise security teams. The unauthorized access began in October 2025 and was not discovered until February 3, 2026, a dwell time of approximately four months. During that period, the attacker had access to full names, email addresses, phone numbers, user IDs, profile pictures, biographies, account creation dates, and social media handles.

Four months of persistent access without detection represents a fundamental failure in monitoring, not a sophisticated evasion technique. The attacker maintained ongoing access to user data across an extended period, which means the compromised access was either low-volume enough to avoid threshold-based alerts or the monitoring simply was not in place to detect the access pattern.

For enterprise buyers evaluating SaaS vendors, the Substack breach reinforces the importance of third-party security assessments that go beyond questionnaire-based reviews. Questions about continuous monitoring, anomaly detection, and mean time to detect should be weighted heavily in vendor risk assessments.

Japan Airlines: Customer Data Since July 2024

Japan Airlines discovered unauthorized access to its systems on February 9, 2026. The compromised data includes information from customers who used the service since July 2024, spanning names, phone numbers, email addresses, and travel-related details. The scope of the affected data window, stretching back 19 months, suggests that either the attacker maintained persistent access for an extended period or the compromised system retained a large historical dataset that was accessible through a single point of entry.

The travel industry is a frequent target because the data is both valuable and combinable. Travel records, contact information, and loyalty program data can be cross-referenced to build detailed profiles used for targeted phishing, business email compromise, or identity fraud. The Japan Airlines breach adds to a pattern of airline data compromises that includes British Airways, Cathay Pacific, and Air India in recent years.

Conpet Romania: 1 TB of Internal Data

The Qilin ransomware group hit Conpet, a Romanian energy infrastructure company, exfiltrating over 1 TB of data including sensitive internal documents, personal information, and financial records. Energy sector attacks carry additional risk because of the potential for operational disruption to critical infrastructure, though in this case the primary impact appears to be data theft rather than operational interference.

The 1 TB volume is notable. Transferring that volume of data out of a corporate network generates significant traffic that network detection and response tools should flag. The success of the exfiltration suggests either the data was moved slowly over an extended period or the organization lacked the network visibility to detect abnormal outbound data flows.

The Pattern: Detection Is the Problem

All four breaches share a common failure mode: the organizations did not detect the compromise quickly enough to prevent significant data loss. The threat actors, the industries, and the geographies are different. The detection gap is the constant.

This aligns with broader industry data. The average dwell time for a breach, the time between initial access and detection, has improved in recent years but remains measured in weeks or months for many organizations. The improvement has been driven primarily by organizations that have invested in security operations centers, endpoint detection and response, and network monitoring. Organizations that have not made those investments are experiencing dwell times that look like the worst-case numbers from five years ago.

For enterprise security leaders, the February 2026 breach cluster reinforces three priorities. First, continuous monitoring is not optional. Threshold-based alerts that fire when someone exfiltrates data "too fast" miss attackers who operate slowly and carefully. Behavioral analytics that baseline normal access patterns and flag deviations are more effective but require investment in both tooling and analyst time. Second, vendor security assessments need teeth. The Substack breach shows that even platforms with sophisticated user bases can have detection gaps that compromise customer data. Third-party risk management programs should include ongoing validation, not just point-in-time assessments. Third, incident response plans should assume extended dwell times and scope the investigation accordingly. When a breach is discovered, the first question should not be "what happened yesterday" but "how long has this been going on," and the forensic effort should cover the full potential exposure window.