Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed

from the trust-no-one dept

Another day, another security breach. Another day, another security breach handled badly by the company leaking data. Another day, another security researcher being treated like garbage for attempting to report it. Etc. Etc.

The victim perpetrator here is Panera Bread. Researcher Dylan Houlihan informed Panera Bread its online ordering service was leaking data. This notification happened months ago.

In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.

Houlihan emailed Mike Gustavision -- then Panera's head of security -- about the vulnerability. Like many other discovered data leaks, all a user had to do was alter digits in company's online ordering site to view other people's personal information. Users did not even need a Panera account to do this.

Houlihan's notification attempt was greeted with derision by Panera's security head. [Click for a larger version.]

Dylan,

My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.

Eventually, Gustavision provided a PGP key and allowed Houlihan to send him info on the site's vulnerability. But, as Houlihan points out, this is no way to treat someone reporting a possible breach. Not only was the immediate response needlessly combative, the company's response to the notification was to do nothing until it was publicized by other security researchers.

This was contrary to Gustavision's statements to Houlihan, which claimed Panera's security team was "working on a response." That was the claim last August. Houlihan continued to check the site since his own information was included in what was exposed and nothing changed until April of this year, eight months after being notified.

Somehow, Panera was magically on top of the situation when it went mainstream. After Brian Krebs spoke to the company's CIO about the breach, Panera briefly took its site offline for maintenance. It then declared it had fixed the hole within two hours of notification, glossing over the fact it had been notified eight months earlier and done nothing. It also downplayed the problem as only affecting a small portion of Panera customers.

Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.

In essence, it lied to press outlets seeking comment. Security researchers noted the problem hadn't even been completely fixed yet.

Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).

And it was far, far bigger than Panera publicly claimed. Krebs initially estimated the exposed records at 7 million. Additional research by Krebs showed multiple divisions of Panera were affected by the same vulnerability (like its online catering service). After examining APIs used by Panera's online services, Krebs estimates close to 37 million records have been exposed.

What will Panera learn from this? Whatever it does learn won't spread to other companies, that's for certain. Breach after breach has shown us companies are willing to shoot the messenger, cover up the damage, ignore repeated notifications, and obfuscate when breaches are finally exposed. Panera didn't handle breach notification worse than other companies have. It just did as little as possible until forced to confront the problem. This mindset is shared by far too many entities. They love scooping up personal data, but not the security responsibility that comes with it.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breach, leaks, security
Companies: panera


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 9 Apr 2018 @ 3:56am

    "I don't get it, why didn't anyone tell us beforehand...?"

    And yet another perfect example of why it's useless to contact a company with security flaws, rather than just ignoring it or, if you want to force the issue, anonymously making it public and forcing them to scramble to fix it.

    The one upside to this is that while they brushed him off initially, and then ignored him after that, at least they didn't try to sue him to shut him up as others have done. The fact that this is an unexpected positive however shows just how risky security researchers and those that try to help out have it, and how utterly insane so many companies can be when it comes to dealing with security.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 4:10am

    I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.

    This sounds like a very insecure man who has a stake in at least 8 time shares he can't use.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 4:11am

    An obvious "scam" says a real-life Inspector Clouseau

    ... because every company's head of online security surely must know that whenever someone requests a PGP key, it's basically no different from some Nigerian asking for your bank account number.

    link to this | view in chronology ]

  • icon
    Tim R (profile), 9 Apr 2018 @ 4:48am

    PGP Key

    The fact that he makes a stink about exchanging PGP keys to facilitate secure data sharing tells you pretty much everything you need to know about their security philosophies.

    link to this | view in chronology ]

    • icon
      hij (profile), 9 Apr 2018 @ 5:05am

      Re: PGP Key

      Well, it is good that he was being careful with sharing public pgp keys. You do not want those things to be out and shared in public do you? Besides, it is not like you can just sit down and generate those things randomly. In some situations you actually have to use a command line to do that sort of thing!

      link to this | view in chronology ]

  • identicon
    Yogendra Kumar vishwakarma, 9 Apr 2018 @ 4:52am

    Mechanical

    link to this | view in chronology ]

  • identicon
    Annonymouse, 9 Apr 2018 @ 5:05am

    Really this is no different than any other facet of business.
    Even if there are laws inspectors and penalties corporate types will avoid and circumvent till their backside is cooling in a jail somewhere.
    Be it wages, saftey for employees or customers or just the general public being put at risk, they font care up and until their neck is in the noose.

    link to this | view in chronology ]

  • icon
    Coyne Tibbets (profile), 9 Apr 2018 @ 5:41am

    Head knocker

    And I just signed up a couple weeks ago. Looks like I just hit my head on a low-hanging breach. Should have ducked, I guess.

    link to this | view in chronology ]

  • identicon
    MI Ray, 9 Apr 2018 @ 5:56am

    Act Proactively

    I have a problem with the way they dealt with this because a software can have a bug or something had been ignored at first but they should act proactively.

    link to this | view in chronology ]

  • icon
    Ninja (profile), 9 Apr 2018 @ 6:13am

    If it doesn't cost then companies are not going to start sanitizing their security practices. Place hefty fines for mishandling breaches or have people leave in droves as the norm and you'll see companies getting their acts together.

    There's no incentive to do things right from the businesses perspective.

    link to this | view in chronology ]

  • identicon
    Joel Coehoorn, 9 Apr 2018 @ 6:23am

    Sympathetic

    I get so many sales pitches at my work address, I don't blame that guy for that first response at all. If a sales guy could get through just by claiming to report a vulnerability, you can bet lots of sales folks would do that. He explicitly says, "I am will to discuss...". We should really be looking at how that next conversation went, rather than this one.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 6:28am

    It's in the employee's interest to ignore notifications like this. If he does his job and brings it up to higher management, he's liable to get thrown out of the company. They'll investigate him, find something or invent something, and end the issue like that while sending a message to others.

    How do I know this? Happened to me. Career poof!

    link to this | view in chronology ]

    • identicon
      I.T. Guy, 9 Apr 2018 @ 6:52am

      Re:

      I'd rather get fired doing the right thing and slip off into obscurity than have my name associated with a major breach.

      Not just a breach but ignoring a breach then handling it badly.

      Mike Gustavision better just wipe his tenure at Panaera Bread from his Resume and hope nobody remembers his name. I wouldn't hire this guy to image machines.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Apr 2018 @ 7:21am

        Re: Re:

        That was one of the reasons I gave for why I brought it up to them. I would not allow my name to be attached to a worldwide scale data breach.

        However, that said, his best moves are to either ignore it or quit immediately. By responding so poorly, his professional name is forfeit. If he ignored it instead, he could say that he didn't receive the notification because it was thought to be spam. If he brought it to higher management, he would become the problem.

        Losing your job for doing the right thing is no joke. It has been a life altering event for me. I see the world completely differently. I've thrown away religion. I lost nearly all of my friends. When I called for a reference from one of my closest colleagues, HR responded with a threat of harassment. I can say with full confidence that it is not worth it, just leave immediately and do not look back.

        link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Apr 2018 @ 8:08am

        Re: Re:

        Mike Gustavison used to be the Chief Security Officer for Equifax before he worked at Panera Bread. Let that sink in for a moment.

        link to this | view in chronology ]

        • identicon
          SpaceLifeForm, 9 Apr 2018 @ 1:17pm

          Re: Re: Re:

          Almost certainly why this story, now old, has been completely buried by St. Louis Post Dispatch.

          Panera Bread was originally St. Louis Bread Company. Started in St. Louis.

          link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 6:43am

    Oh Woe Is Us!

    "If only we had known then we've patched it!" They cry playing oblivious to the fact that in the same breath also shot the messenger who tried to warn them.

    Seriously, these companies bully and intimidate security researchers who when they find an exploit do the right thing and try to tell said company so it can be fixed and how are they rewarded? Being ignored at best, lawsuits and jailtime at worst and these companies have the gall to ask why no one tried to warn them!

    "If you can't secure it, don't keep it." - Brian Krebs

    link to this | view in chronology ]

    • icon
      That One Guy (profile), 9 Apr 2018 @ 6:51am

      "It wasn't a problem until you told us about it."

      Short-term it does make a twisted sort of sense, in the managerial 'If I don't know about the problem it's not a problem' way. Before being told about the problem the problem didn't exist, it's only after being told that now they have to deal with it, therefore the cause of the problem is not the vulnerability, it's the person who reported it.

      Long-term of course that kind of thinking and acting all but ensures that those that aren't looking to exploit vulnerabilities will keep their mouths shut, such that the first time a company learns about a flaw is when it's used against them, but that's something for someone else to deal with, or even them but not now.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Apr 2018 @ 9:20am

        Re: "It wasn't a problem until you told us about it."

        And this is why I don't signup for any company service unless it is absolutely necessary. Having an account with panera is not necessary.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Apr 2018 @ 9:40am

      Re: Oh Woe Is Us!

      The researcher is lucky they didn't shoot harder. Incrementing the number in a URL is what weev went to prison for.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 7:23am

    Panera wont learn a thing, wont do a thing except lie further to (try) to cover it's own ass and continue to blame the very person/people who tried to help it by warning of the problem. none of this would have come about had it not been for the USA govt and law enforcement being allowed to get away with blaming everyone else, every time a whistle blower exposed their wrong doings! and lets face it, there's nothing more sacred than saving something that the govt and police want hidden!!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 7:48am

    If they told the truth

    They wouldn't have made as much dough.
    Because before the breach, business was always rising.
    And that's not the yeast of it!

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 7:52am

    Prior to his illustrious career at Panera, Mike Gustavison was Senior Directory of Security Operations at...wait for it...Equifax!

    link to this | view in chronology ]

    • icon
      TripMN (profile), 9 Apr 2018 @ 8:11am

      Re:

      I thought this was a joke... but holy hell.

      His LinkedIn says he worked information security at both places.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Apr 2018 @ 9:17am

        Re: Re:

        What is his definition of work? Sitting in a chair and pretending to be a security professional is not working.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 12:41pm

    Dumb!

    All these data breaches...that’s why I don’t even believe in computers

    link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 9 Apr 2018 @ 1:36pm

    Until the cost of inaction > the cost of the PR spin, this will continue.

    Imagine a law that allowed multipliers for the number of times they blew off people reporting the issue.
    Imagine a multiplier for lying about number affected.
    Imagine a multiplier blaming "hackers" to cover your own ineptness.

    The public response to these things is getting muted because we literally expect some site to be leaking our shit every 3 days.

    Remember when they would change the color of the rainbow alert system every 4 hours based on 'chatter' that they could never explain lest the ninja terrorists figure out we were spying on them???

    These little shits screamed wolf enough that we stopped paying attention & we fret about the body parts around town, rather than hire a better wolf spotter & beating the ass of any kid who lies about a wolf.

    link to this | view in chronology ]

  • icon
    ECA (profile), 9 Apr 2018 @ 3:53pm

    Anyone?

    Know why I dont like giving my info ANYWHERE ON THE NET???
    Why I use Adblocker and NOSCRIPT??

    AND WHY IN HELL FB wants me to use my REAL NAME???

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Apr 2018 @ 4:01pm

    "Everything" is insecure

    The business issue is that websites are not perfectly secure; and the is no incentive to make them bulletproof.

    The disturbing fact in this breach was so simple to demonstrate.

    Pitched another way: All your competitors now have all your customer details! Yikes! That data is valuable!

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.