Attacks/Breaches

4/3/2018
12:25 PM
100%
0%

Panera Bread Leaves Millions of Customer Records Exposed Online

Personal information exposed in plain text for months on Panerabread.com and the company's response failed to rise to the challenge.

Panera Bread, the "fast casual" restaurant chain that is the remote office for countless knowledge workers, is the latest business to suffer a major breach to a customer database — and the latest company to offer lessons in how not to respond to information from security researchers and analysts.

KrebsOnSecurity reported yesterday on a programming error on Panera's website that left millions of customer records - names, email addreses, physical addresses, birthdays, and the last four digits of their credit cards - exposed in plain text, to a casual search. That's bad enough, but when the details of the error's history began to come out, things got worse.

Dylan Houlihan, a security researcher, notified Panera on August 2, 2017 that the information was accessible. Initially, Panera's IT team simply didn't believe him. After additional correspondence, the company's director of information technology told Houlihan that they had verified his findings and remediated the problem.

Unfortunately, when Houlihan contact KrebsOnSecurity on April 2, the information was still available in plain text. The researcher said he contacted KrebsOnSecurity because Panera was showing no interest in, or effort toward, remediation.

"The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place," says Paul Bischoff, privacy advocate at Comparitech.com, pointing out that customers' names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months.

After KrebsOnSecurity contacted Panera, the website was taken offline and the information was no longer freely available, though Hold Security pointed out that it was still available to anyone who logged into the site — potentially, logging in using credentials that were openly available for 8 months.

"This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. "In the case of Panerabread.com, the site had an open API that anyone on the Internet could query and did not require any type of authentication."

Panera talked on camera to Fox Business almost immediately after the KrebsOnSecurity contact. In their on-camera interview, the company said that only about 10,000 records had been accessible, not the 7 million records claimed by Houlihan. Further research by Hold Security and reported by KrebsOnSecurity indicates that Panera may have been correct about the Houlihan number being off; Hold Security's estimate for affected accounts is approximately 37 million.

"Panera's handling of its leak was a disaster. From dismissing responsible disclosure from the security community, to ignoring the problem for eight months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end," said Ben Johnson, CTO and co-founder of Obsidian Security in statement. "It is better to fix the problem than to race to the media with news of a purported fix. If there's a silver lining here, it's that we can have a new example how not to respond to a security leak.”

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/4/2018 | 9:44:20 AM
Panera symptomatic
Thank you Curtis, for posting this report. 

In itself, the breach, the compromised data, and the response may seem like small potatoes compared to the mega breaches of the past few years.  However, this event is symptomatic of a problem well beyond the scale of any such incident.  There are a number of pertinent issues to consider; but for the moment, think about this: a restaurant chain has taken on the data security responsibilities which a few decades ago would only be expected of gevernments, financial institutions or defense contractors. 

In the case of Panera Bread, it is evident that they had not acknowledged the full extent of such responsibilities - and yet, what they had done to secure their data may well have been up to or beyond that of most entities of similar scale.  "May well have" because we are only likely to be able to make such assessments for those entities which have been breached - and it becomes known that a breach has occurred.  The case of Panera being "the tip of the iceberg" is almost certainly an understatement. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18361
PUBLISHED: 2018-10-15
An issue was discovered in nc-cms through 2017-03-10. index.php?action=edit_html allows XSS via the name parameter, as demonstrated by a value beginning with home_content and containing a crafted SRC attribute of an IMG element.
CVE-2018-1744
PUBLISHED: 2018-10-15
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 148423.
CVE-2018-1747
PUBLISHED: 2018-10-15
IBM Security Key Lifecycle Manager 2.5, 2.6, 2.7, and 3.0 is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 148428.
CVE-2018-18324
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has XSS via the admin/fileManager2.php fm_current_dir parameter, or the admin/index.php module, service_start, service_fullstatus, service_restart, service_stop, or file (within the file_editor) parameter.
CVE-2018-18322
PUBLISHED: 2018-10-15
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.480 has Command Injection via shell metacharacters in the admin/index.php service_start, service_restart, service_fullstatus, or service_stop parameter.