Security Experts: Breach At Panera Bread Affected Millions. Questions Linger About Vulnerability Fix
Apparently, Panera Bread experienced a massive data breach, which the restaurant chain's management allegedly ignored for months. CSO Online reported:
"Panera Bread’s website leaked millions of customer records in plain text for at least eight months, which is how long the company blew off the issues reported by security researcher Dylan Houlihan... Houlihan shared copies of email exchanges with Panera Bread CIO John Meister – who at first accused Houlihan of trying to run a scam when he first reported the security vulnerability back in August 2017... Exactly eight months after reporting the issue to Panera Bread, Houlihan turned to KrebsOnSecurity. Krebs spoke to Meister, and the website was briefly taken offline. Less than two hours later, Panera said it had fixed the problem."
Reportedly, the sensitive customer information leaked included usernames, first and last names, email addresses, phone numbers, home addresses, birthdays, the last four digits of saved credit card numbers, dietary restrictions, food preferences, and "social account integration information."
Security experts disagree about two key issues: a) whether or not the vulnerability was fixed, and b) the number of affected consumers. Panera Bread claimed about 10,000 customers were affected. Then, that number went up:
"After some more poking, Hold Security reported to Krebs that Panera didn’t just leak plain text records of 7 million customers; “the vulnerabilities also appear to have extended to Panera’s commercial division, which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”
A check earlier today of the public-facing pages at Panera's website failed to find a breach notice, which companies usually provide after a data breach. Not good. Shoppers need to know. Many states have breach notification laws.
Panera's behavior doesn't inspire much confidence. It's internal breach-detection mechanisms seem to have failed, and its post-breach response seemed unprepared, unfocused, and disinterested. What do you think?