Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed

from the trust-no-one dept

Another day, another security breach. Another day, another security breach handled badly by the company leaking data. Another day, another security researcher being treated like garbage for attempting to report it. Etc. Etc.

The victim perpetrator here is Panera Bread. Researcher Dylan Houlihan informed Panera Bread its online ordering service was leaking data. This notification happened months ago.

In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.

Houlihan emailed Mike Gustavision -- then Panera's head of security -- about the vulnerability. Like many other discovered data leaks, all a user had to do was alter digits in company's online ordering site to view other people's personal information. Users did not even need a Panera account to do this.

Houlihan's notification attempt was greeted with derision by Panera's security head. [Click for a larger version.]

Dylan,

My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.

Eventually, Gustavision provided a PGP key and allowed Houlihan to send him info on the site's vulnerability. But, as Houlihan points out, this is no way to treat someone reporting a possible breach. Not only was the immediate response needlessly combative, the company's response to the notification was to do nothing until it was publicized by other security researchers.

This was contrary to Gustavision's statements to Houlihan, which claimed Panera's security team was "working on a response." That was the claim last August. Houlihan continued to check the site since his own information was included in what was exposed and nothing changed until April of this year, eight months after being notified.

Somehow, Panera was magically on top of the situation when it went mainstream. After Brian Krebs spoke to the company's CIO about the breach, Panera briefly took its site offline for maintenance. It then declared it had fixed the hole within two hours of notification, glossing over the fact it had been notified eight months earlier and done nothing. It also downplayed the problem as only affecting a small portion of Panera customers.

Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.

In essence, it lied to press outlets seeking comment. Security researchers noted the problem hadn't even been completely fixed yet.

Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).

And it was far, far bigger than Panera publicly claimed. Krebs initially estimated the exposed records at 7 million. Additional research by Krebs showed multiple divisions of Panera were affected by the same vulnerability (like its online catering service). After examining APIs used by Panera's online services, Krebs estimates close to 37 million records have been exposed.

What will Panera learn from this? Whatever it does learn won't spread to other companies, that's for certain. Breach after breach has shown us companies are willing to shoot the messenger, cover up the damage, ignore repeated notifications, and obfuscate when breaches are finally exposed. Panera didn't handle breach notification worse than other companies have. It just did as little as possible until forced to confront the problem. This mindset is shared by far too many entities. They love scooping up personal data, but not the security responsibility that comes with it.

Filed Under: data breach, leaks, security
Companies: panera

DailyDirt: Playing Some Games With Hunger

from the urls-we-dig-up dept

The problem with hunger isn't limited to not having enough to eat -- other hunger issues arise with over-active cravings that lead to obesity and other health problems. For many people, it's not so simple to just "eat less and exercise more" despite how simple that formula sounds. Here are just a few links on the topic of watching what you eat and trying to control caloric intake.

• Dietary research increasingly suggests that not all calories are equivalent, and there is some evidence that high-glycemic foods (from processed carbohydrates) can cause blood sugar spikes and stimulate hunger. It's not clear if the cravings caused by refined carbohydrates can be reduced to fight obesity, but avoiding high-glycemic foods could be part of a strategy (along with an exercise regime) to help people lose weight. [url]
• Panera Bread CEO Ron Shaich tried to eat on a budget of $4.50 a day for a week -- to raise awareness for hunger. The average amount allocated to individuals in the federal Supplemental Nutrition Assistance Program (SNAP) is just $31.50 per week, and it's not an easy diet to live on without getting hungry. Good thing Panera has some 'Pay What You Want' locations.... [url]
• Some genetically modified mice developed brain cells that could respond to light -- one group had neurons that were activated by light and another group of mice had neurons that were de-activated with light. Using these mice, researchers were able to control how much the mice ate by shining light on particular areas of the brain -- making mice eat when they were beyond full and preventing mice from eating when the mice were hungry. [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: carbs, diet, eating, food, gmo, hunger, obesity
Companies: panera

Panera's 'Pay What You Want' Restaurants Are Working

from the how-about-that dept

Earlier this year, we noted that Panera Bread was testing out a "pay what you want" concept restaurant in St. Louis. It was set up as part of a non-profit charitable foundation, rather than as part of the corporate Panera structure. However, at the time, I noted that I wasn't sure how well it would do, since "pay what you want" for scarce goods seems like a much more dangerous idea. I also pointed out that while I was sure many people would pay the "recommended" prices, and some would obviously pay much less, I doubted many would pay more than the recommended prices to make up for those who paid less. I did note that I hoped to be pleasantly surprised by the results... and now I should admit that I am.

Declan points us to the news that the company is actually expanding the effort, with an expected "pay what you want" opening in Portland. That article also notes that the company has said the original one has been a success. As I expected, the majority of people do just pay the recommended price, with another 15% paying less (or even nothing). But, a separate 15% actually do pay more than the recommended price.

I'm still not convinced this kind of offering works that well in all cases, especially with scarce goods, but I think we're beginning to see scenarios under which it can work. For example, we did recently discuss a study that found "pay what you want" appears to work much better with a charitable component, which is definitely the case here. Separately, we've seen that it can work if you really connect with people, and apparently Panera worked hard to really connect with the local community to make this restaurant work. It'll be worth watching to see if it can replicate that success elsewhere.

Filed Under: food, pay what you want, restaurants
Companies: panera