Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed
from the trust-no-one dept
Another day, another security breach. Another day, another security breach handled badly by the company leaking data. Another day, another security researcher being treated like garbage for attempting to report it. Etc. Etc.
The victim perpetrator here is Panera Bread. Researcher Dylan Houlihan informed Panera Bread its online ordering service was leaking data. This notification happened months ago.
In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.
Houlihan emailed Mike Gustavision -- then Panera's head of security -- about the vulnerability. Like many other discovered data leaks, all a user had to do was alter digits in company's online ordering site to view other people's personal information. Users did not even need a Panera account to do this.
Houlihan's notification attempt was greeted with derision by Panera's security head. [Click for a larger version.]
Dylan,
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
Eventually, Gustavision provided a PGP key and allowed Houlihan to send him info on the site's vulnerability. But, as Houlihan points out, this is no way to treat someone reporting a possible breach. Not only was the immediate response needlessly combative, the company's response to the notification was to do nothing until it was publicized by other security researchers.
This was contrary to Gustavision's statements to Houlihan, which claimed Panera's security team was "working on a response." That was the claim last August. Houlihan continued to check the site since his own information was included in what was exposed and nothing changed until April of this year, eight months after being notified.
Somehow, Panera was magically on top of the situation when it went mainstream. After Brian Krebs spoke to the company's CIO about the breach, Panera briefly took its site offline for maintenance. It then declared it had fixed the hole within two hours of notification, glossing over the fact it had been notified eight months earlier and done nothing. It also downplayed the problem as only affecting a small portion of Panera customers.
Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.
In essence, it lied to press outlets seeking comment. Security researchers noted the problem hadn't even been completely fixed yet.
Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).
And it was far, far bigger than Panera publicly claimed. Krebs initially estimated the exposed records at 7 million. Additional research by Krebs showed multiple divisions of Panera were affected by the same vulnerability (like its online catering service). After examining APIs used by Panera's online services, Krebs estimates close to 37 million records have been exposed.
What will Panera learn from this? Whatever it does learn won't spread to other companies, that's for certain. Breach after breach has shown us companies are willing to shoot the messenger, cover up the damage, ignore repeated notifications, and obfuscate when breaches are finally exposed. Panera didn't handle breach notification worse than other companies have. It just did as little as possible until forced to confront the problem. This mindset is shared by far too many entities. They love scooping up personal data, but not the security responsibility that comes with it.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, leaks, security
Companies: panera
Reader Comments
Subscribe: RSS
View by: Time | Thread
"I don't get it, why didn't anyone tell us beforehand...?"
And yet another perfect example of why it's useless to contact a company with security flaws, rather than just ignoring it or, if you want to force the issue, anonymously making it public and forcing them to scramble to fix it.
The one upside to this is that while they brushed him off initially, and then ignored him after that, at least they didn't try to sue him to shut him up as others have done. The fact that this is an unexpected positive however shows just how risky security researchers and those that try to help out have it, and how utterly insane so many companies can be when it comes to dealing with security.
[ link to this | view in chronology ]
This sounds like a very insecure man who has a stake in at least 8 time shares he can't use.
[ link to this | view in chronology ]
An obvious "scam" says a real-life Inspector Clouseau
[ link to this | view in chronology ]
PGP Key
[ link to this | view in chronology ]
Re: PGP Key
[ link to this | view in chronology ]
Re: Re: PGP Key
[ link to this | view in chronology ]
Mechanical
[ link to this | view in chronology ]
Even if there are laws inspectors and penalties corporate types will avoid and circumvent till their backside is cooling in a jail somewhere.
Be it wages, saftey for employees or customers or just the general public being put at risk, they font care up and until their neck is in the noose.
[ link to this | view in chronology ]
Head knocker
[ link to this | view in chronology ]
Act Proactively
[ link to this | view in chronology ]
There's no incentive to do things right from the businesses perspective.
[ link to this | view in chronology ]
Sympathetic
[ link to this | view in chronology ]
How do I know this? Happened to me. Career poof!
[ link to this | view in chronology ]
Re:
Not just a breach but ignoring a breach then handling it badly.
Mike Gustavision better just wipe his tenure at Panaera Bread from his Resume and hope nobody remembers his name. I wouldn't hire this guy to image machines.
[ link to this | view in chronology ]
Re: Re:
However, that said, his best moves are to either ignore it or quit immediately. By responding so poorly, his professional name is forfeit. If he ignored it instead, he could say that he didn't receive the notification because it was thought to be spam. If he brought it to higher management, he would become the problem.
Losing your job for doing the right thing is no joke. It has been a life altering event for me. I see the world completely differently. I've thrown away religion. I lost nearly all of my friends. When I called for a reference from one of my closest colleagues, HR responded with a threat of harassment. I can say with full confidence that it is not worth it, just leave immediately and do not look back.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
Panera Bread was originally St. Louis Bread Company. Started in St. Louis.
[ link to this | view in chronology ]
Oh Woe Is Us!
Seriously, these companies bully and intimidate security researchers who when they find an exploit do the right thing and try to tell said company so it can be fixed and how are they rewarded? Being ignored at best, lawsuits and jailtime at worst and these companies have the gall to ask why no one tried to warn them!
"If you can't secure it, don't keep it." - Brian Krebs
[ link to this | view in chronology ]
"It wasn't a problem until you told us about it."
Short-term it does make a twisted sort of sense, in the managerial 'If I don't know about the problem it's not a problem' way. Before being told about the problem the problem didn't exist, it's only after being told that now they have to deal with it, therefore the cause of the problem is not the vulnerability, it's the person who reported it.
Long-term of course that kind of thinking and acting all but ensures that those that aren't looking to exploit vulnerabilities will keep their mouths shut, such that the first time a company learns about a flaw is when it's used against them, but that's something for someone else to deal with, or even them but not now.
[ link to this | view in chronology ]
Re: "It wasn't a problem until you told us about it."
[ link to this | view in chronology ]
Re: Oh Woe Is Us!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
If they told the truth
Because before the breach, business was always rising.
And that's not the yeast of it!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
His LinkedIn says he worked information security at both places.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Dumb!
[ link to this | view in chronology ]
Imagine a law that allowed multipliers for the number of times they blew off people reporting the issue.
Imagine a multiplier for lying about number affected.
Imagine a multiplier blaming "hackers" to cover your own ineptness.
The public response to these things is getting muted because we literally expect some site to be leaking our shit every 3 days.
Remember when they would change the color of the rainbow alert system every 4 hours based on 'chatter' that they could never explain lest the ninja terrorists figure out we were spying on them???
These little shits screamed wolf enough that we stopped paying attention & we fret about the body parts around town, rather than hire a better wolf spotter & beating the ass of any kid who lies about a wolf.
[ link to this | view in chronology ]
Anyone?
Why I use Adblocker and NOSCRIPT??
AND WHY IN HELL FB wants me to use my REAL NAME???
[ link to this | view in chronology ]
"Everything" is insecure
The disturbing fact in this breach was so simple to demonstrate.
Pitched another way: All your competitors now have all your customer details! Yikes! That data is valuable!
[ link to this | view in chronology ]