3 min read

Panera Bread's half-baked security

Graham CLULEY

April 03, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Panera Bread's half-baked security

We’ve heard it all before. XYZ Company “takes your data security very seriously.”

Most commonly you’ll hear these words just after a company has suffered an embarrassing data breach, perhaps having carelessly exposed the personal information of innocent customers onto the net or had a database stolen by hackers.

The truth is that it’s a brave organisation which promises it will never suffer a serious security incident. Accidents can happen, human weaknesses can leave open vulnerabilities which hackers may be able to exploit, partners who work alongside your company may have had their own security fail which impacted your business.

In these instances, the only way to recover your customers’ trust and retrieve your company’s reputation from being tarnished too much is to respond appropriately to the incident. Often, in fact, the response to a security breach will be more critical to your company’s brand than the incident itself.

And, if you want an example of a company that has got it massively wrong look no further than Panera Bread, the North American chain of over 2000 bakery cafés.

If you visit Panera Bread’s website today, you won’t find the usual collection of sandwiches, soups, salads, and sausage rolls. Instead you’ll probably see a message like this:

Panera Bread’s website is down. In fact, it’s the second time it’s been down in the last couple of days. Let me explain why…

In August 2017, a security researcher called Dylan Hoilihan privately informed Panera Bread of a serious security vulnerability on the delivery.panerabread.com website, which meant that details of any signed-up customers’ full names, email addresses, phone numbers, and the last four digits of their saved credit card numbers could be scooped up.

A member of Panera Bread’s information security team responded to Houlihan, seemingly skeptical of the report – believing it to be a scammy sales pitch.

After a few days and some to-and-fro (which you can read on Houlihan’s blog post), Panera Bread confirmed it was working on resolving the issue.

That was back in August 2017.

As each month passes, Houlihan investigates whether the Panera Bread security vulnerability still exists – and, sadly, it does.

And so, eight months later and frustrated by the lack of response, he informs security blogger Brian Krebs who publicly reveals that millions of customer records are at risk.

Before publishing details of the problem, Krebs spoke to Panera Bread’s CIO John Meister, and the website was soon afterwards briefly taken down for “essential system maintenance”.

Krebs, no doubt, assumed that the problem was being resolved. But no explanation was made as to why no fix was put in place back in August 2017, when they were first informed of the problem by Houlihan.

And if you think that’s bad, things get worse…

Panera Bread told Fox News that “fewer than 10,000 consumers have been potentially affected by this issue” and that “this issue is resolved”.

However, within minutes of that claim it became apparent that the same vulnerability was *still* present on the website – and that the number of customer records exposed may total over 37 million.

And that’s why Panera Bread’s website is down again.

Let’s hope it is taking data security seriously now. Although wouldn’t it have been much better if the company had taken decisive action when the issue was first reported to them eight months ago?

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read