Security Experts: Breach At Panera Bread Affected Millions. Questions Linger About Vulnerability Fix
Tuesday, April 10, 2018
Apparently, Panera Bread experienced a massive data breach, which the restaurant chain's management allegedly ignored for months. CSO Online reported:
"Panera Bread’s website leaked millions of customer records in plain text for at least eight months, which is how long the company blew off the issues reported by security researcher Dylan Houlihan... Houlihan shared copies of email exchanges with Panera Bread CIO John Meister – who at first accused Houlihan of trying to run a scam when he first reported the security vulnerability back in August 2017... Exactly eight months after reporting the issue to Panera Bread, Houlihan turned to KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken offline. Less than two hours later, Panera said it had fixed the problem."
Reportedly, the sensitive customer information leaked included usernames, first and last names, email addresses, phone numbers, home addresses, birthdays, the last four digits of saved credit card numbers, dietary restrictions, food preferences, and "social account integration information."
Security experts disagree about two key issues: a) whether or not the vulnerability was fixed, and b) the number of affected consumers. Panera Bread claimed about 10,000 customers were affected. Then, that number went up:
"After some more poking, Hold Security reported to Krebs that Panera didn’t just leak plain text records of 7 million customers; “the vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”
A check earlier today of the public-facing pages at Panera's website failed to find a breach notice, which companies usually provide after a data breach. Not good. Shoppers need to know. Many states have breach notification laws.
Panera's behavior doesn't inspire much confidence. It's internal breach-detection mechanisms seem to have failed, and its post-breach response seemed unprepared, unfocused, and disinterested. What do you think?
I think that, at this rate of security breaches and other security failures and trespasses on privacy, we will soon be back to cash, checks, and abacuses. All of which are slow and none of which are perfectly secure, but they are far more secure than what we have in the age of the Internet.
The problem is that we can’t go back at an acceptable cost. The instant state of technology generally and particularly the Internet have made themselves indispensable to modern commerce, healthcare, communications, information processing, and emergency and security services. And even if we could go back, that would mean the sacrifice of many modern tools, goods, and services and/or dramatically increased costs to provide those tools, goods, and services.
So we can’t go back, but we can’t continue with a major security breach or failure happening seemingly every other day, because if the Internet and its modalities are insecure, the Internet doesn’t work for commerce, healthcare, security, etc. We must either fix and discover how to prevent these security breaches, the misuse and improper collection of our information, and the trespasses on our privacy, or we will suffer and may come to wish that we had never heard of the Internet.
Posted by: Chanson de Roland | Tuesday, April 10, 2018 at 03:29 PM