Attacks/Breaches

4/3/2018
12:25 PM
100%
0%

Panera Bread Leaves Millions of Customer Records Exposed Online

Personal information exposed in plain text for months on Panerabread.com and the company's response failed to rise to the challenge.

Panera Bread, the "fast casual" restaurant chain that is the remote office for countless knowledge workers, is the latest business to suffer a major breach to a customer database — and the latest company to offer lessons in how not to respond to information from security researchers and analysts.

KrebsOnSecurity reported yesterday on a programming error on Panera's website that left millions of customer records - names, email addreses, physical addresses, birthdays, and the last four digits of their credit cards - exposed in plain text, to a casual search. That's bad enough, but when the details of the error's history began to come out, things got worse.

Dylan Houlihan, a security researcher, notified Panera on August 2, 2017 that the information was accessible. Initially, Panera's IT team simply didn't believe him. After additional correspondence, the company's director of information technology told Houlihan that they had verified his findings and remediated the problem.

Unfortunately, when Houlihan contact KrebsOnSecurity on April 2, the information was still available in plain text. The researcher said he contacted KrebsOnSecurity because Panera was showing no interest in, or effort toward, remediation.

"The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place," says Paul Bischoff, privacy advocate at Comparitech.com, pointing out that customers' names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months.

After KrebsOnSecurity contacted Panera, the website was taken offline and the information was no longer freely available, though Hold Security pointed out that it was still available to anyone who logged into the site — potentially, logging in using credentials that were openly available for 8 months.

"This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. "In the case of Panerabread.com, the site had an open API that anyone on the Internet could query and did not require any type of authentication."

Panera talked on camera to Fox Business almost immediately after the KrebsOnSecurity contact. In their on-camera interview, the company said that only about 10,000 records had been accessible, not the 7 million records claimed by Houlihan. Further research by Hold Security and reported by KrebsOnSecurity indicates that Panera may have been correct about the Houlihan number being off; Hold Security's estimate for affected accounts is approximately 37 million.

"Panera's handling of its leak was a disaster. From dismissing responsible disclosure from the security community, to ignoring the problem for eight months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end," said Ben Johnson, CTO and co-founder of Obsidian Security in statement. "It is better to fix the problem than to race to the media with news of a purported fix. If there's a silver lining here, it's that we can have a new example how not to respond to a security leak.”

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/4/2018 | 9:44:20 AM
Panera symptomatic
Thank you Curtis, for posting this report. 

In itself, the breach, the compromised data, and the response may seem like small potatoes compared to the mega breaches of the past few years.  However, this event is symptomatic of a problem well beyond the scale of any such incident.  There are a number of pertinent issues to consider; but for the moment, think about this: a restaurant chain has taken on the data security responsibilities which a few decades ago would only be expected of gevernments, financial institutions or defense contractors. 

In the case of Panera Bread, it is evident that they had not acknowledged the full extent of such responsibilities - and yet, what they had done to secure their data may well have been up to or beyond that of most entities of similar scale.  "May well have" because we are only likely to be able to make such assessments for those entities which have been breached - and it becomes known that a breach has occurred.  The case of Panera being "the tip of the iceberg" is almost certainly an understatement. 
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12633
PUBLISHED: 2018-06-22
An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (...
CVE-2018-12634
PUBLISHED: 2018-06-22
CirCarLife Scada v4.2.4 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.
CVE-2018-12635
PUBLISHED: 2018-06-22
CirCarLife Scada v4.2.4 allows unauthorized upgrades via requests to the html/upgrade.html and services/system/firmware.upgrade URIs.
CVE-2018-12630
PUBLISHED: 2018-06-21
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
CVE-2018-12631
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.