The personal data of what may be as many as 37 million Panerabread.com customers was left exposed for eight months before being pulled offline today.
Names, email and physical addresses, date of birth, the last four digits of the customer credit card numbers and Panera loyalty card number records for customer who signed up for an account to order food online via the site, were all exposed.
Independent researcher Dylan Houlihan spotted the leak last year and notified the St. Louis-based company on August 2, 2017 but the firm didn't take immediate action, according to KrebsOnSecurity.
An email exchange obtained by Krebs that was held between Houlihan and Mike Gustavison, Panera's director of information security, indicates that Gustavison initially dismissed the claims as a scam, but a week later the company validated the findings and set out to fix the issue. Unfortunately, it appears the Panera didn't take action until April 3, 2018 when the site was taken down for a brief period after being contacted by the news site.
“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database,” Houlihan told KrebsonSecurity.
hen asked if the problem had been addressed before Krebs contacted the firm, Houlihan added the vulnerability never disappeared.
“Following reports today of a potential problem on our website, we suspended the functionality to repair the issue,” Panera said in a statement. “Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”
The firm did not explain why it took so long to address the issue but told Fox
fewer than 10,000 consumers have been potentially affected.
Paul Bischoff, privacy advocate at Comparitech.com told SC Media the leak was an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place.
“This was not a sophisticated breach by hackers,” Bischoff said. “The unsecured database of millions of customers could easily be accessed via a web browser, and all the data was available in plain text, meaning thieves wouldn't even have to bother decrypting it”
Bischoff went on to call the breach a good example of why consumers should be cautious signing up for loyalty programs and promotional membership schemes since there is no way to know whether a company takes your information security seriously and can competently handle.
Ben Johnson, CTO and Co-Founder, Obsidian Security, agreed that the situations was handled poorly and added that proper scoping and root cause analysis need to be performed whenever there is a security attack or vulnerability.
“Panera's handling of its leak was a disaster,” Johnson said. “From dismissing responsible disclosure from the security community, to ignoring the problem for 8 months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end
Johnson added that it is better to fix the problem in the first place than to race to the media with news of a purported fix. Panera may also face backlash from government investigations that may follow.
“Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found.” Terry Ray, chief technology officer of Imperva, said. “It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April.”
Ray went on to say he expects PCI regulators will question any PCI audits done since August looking for passes on application security, code review and code correction.
SC Media has attempted to contact Panera Bread Co. on but they have yet to respond.
UPDATE: KrebsOnSecurity reported that as many as 37 million customers may have been affected. Panera has yet to confirm the amount.