Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed

from the trust-no-one dept

Another day, another security breach. Another day, another security breach handled badly by the company leaking data. Another day, another security researcher being treated like garbage for attempting to report it. Etc. Etc.

The victim perpetrator here is Panera Bread. Researcher Dylan Houlihan informed Panera Bread its online ordering service was leaking data. This notification happened months ago.

In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.

Houlihan emailed Mike Gustavision -- then Panera's head of security -- about the vulnerability. Like many other discovered data leaks, all a user had to do was alter digits in company's online ordering site to view other people's personal information. Users did not even need a Panera account to do this.

Houlihan's notification attempt was greeted with derision by Panera's security head. [Click for a larger version.]

Dylan, My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.

Eventually, Gustavision provided a PGP key and allowed Houlihan to send him info on the site's vulnerability. But, as Houlihan points out, this is no way to treat someone reporting a possible breach. Not only was the immediate response needlessly combative, the company's response to the notification was to do nothing until it was publicized by other security researchers.

This was contrary to Gustavision's statements to Houlihan, which claimed Panera's security team was "working on a response." That was the claim last August. Houlihan continued to check the site since his own information was included in what was exposed and nothing changed until April of this year, eight months after being notified.

Somehow, Panera was magically on top of the situation when it went mainstream. After Brian Krebs spoke to the company's CIO about the breach, Panera briefly took its site offline for maintenance. It then declared it had fixed the hole within two hours of notification, glossing over the fact it had been notified eight months earlier and done nothing. It also downplayed the problem as only affecting a small portion of Panera customers.

Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.

In essence, it lied to press outlets seeking comment. Security researchers noted the problem hadn't even been completely fixed yet.

Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).

And it was far, far bigger than Panera publicly claimed. Krebs initially estimated the exposed records at 7 million. Additional research by Krebs showed multiple divisions of Panera were affected by the same vulnerability (like its online catering service). After examining APIs used by Panera's online services, Krebs estimates close to 37 million records have been exposed.

What will Panera learn from this? Whatever it does learn won't spread to other companies, that's for certain. Breach after breach has shown us companies are willing to shoot the messenger, cover up the damage, ignore repeated notifications, and obfuscate when breaches are finally exposed. Panera didn't handle breach notification worse than other companies have. It just did as little as possible until forced to confront the problem. This mindset is shared by far too many entities. They love scooping up personal data, but not the security responsibility that comes with it.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breach, leaks, security

Companies: panera