Attacks/Breaches

4/3/2018
12:25 PM
100%
0%

Panera Bread Leaves Millions of Customer Records Exposed Online

Personal information exposed in plain text for months on Panerabread.com and the company's response failed to rise to the challenge.

Panera Bread, the "fast casual" restaurant chain that is the remote office for countless knowledge workers, is the latest business to suffer a major breach to a customer database — and the latest company to offer lessons in how not to respond to information from security researchers and analysts.

KrebsOnSecurity reported yesterday on a programming error on Panera's website that left millions of customer records - names, email addreses, physical addresses, birthdays, and the last four digits of their credit cards - exposed in plain text, to a casual search. That's bad enough, but when the details of the error's history began to come out, things got worse.

Dylan Houlihan, a security researcher, notified Panera on August 2, 2017 that the information was accessible. Initially, Panera's IT team simply didn't believe him. After additional correspondence, the company's director of information technology told Houlihan that they had verified his findings and remediated the problem.

Unfortunately, when Houlihan contact KrebsOnSecurity on April 2, the information was still available in plain text. The researcher said he contacted KrebsOnSecurity because Panera was showing no interest in, or effort toward, remediation.

"The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place," says Paul Bischoff, privacy advocate at Comparitech.com, pointing out that customers' names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months.

After KrebsOnSecurity contacted Panera, the website was taken offline and the information was no longer freely available, though Hold Security pointed out that it was still available to anyone who logged into the site — potentially, logging in using credentials that were openly available for 8 months.

"This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. "In the case of Panerabread.com, the site had an open API that anyone on the Internet could query and did not require any type of authentication."

Panera talked on camera to Fox Business almost immediately after the KrebsOnSecurity contact. In their on-camera interview, the company said that only about 10,000 records had been accessible, not the 7 million records claimed by Houlihan. Further research by Hold Security and reported by KrebsOnSecurity indicates that Panera may have been correct about the Houlihan number being off; Hold Security's estimate for affected accounts is approximately 37 million.

"Panera's handling of its leak was a disaster. From dismissing responsible disclosure from the security community, to ignoring the problem for eight months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end," said Ben Johnson, CTO and co-founder of Obsidian Security in statement. "It is better to fix the problem than to race to the media with news of a purported fix. If there's a silver lining here, it's that we can have a new example how not to respond to a security leak.”

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/4/2018 | 9:44:20 AM
Panera symptomatic
Thank you Curtis, for posting this report. 

In itself, the breach, the compromised data, and the response may seem like small potatoes compared to the mega breaches of the past few years.  However, this event is symptomatic of a problem well beyond the scale of any such incident.  There are a number of pertinent issues to consider; but for the moment, think about this: a restaurant chain has taken on the data security responsibilities which a few decades ago would only be expected of gevernments, financial institutions or defense contractors. 

In the case of Panera Bread, it is evident that they had not acknowledged the full extent of such responsibilities - and yet, what they had done to secure their data may well have been up to or beyond that of most entities of similar scale.  "May well have" because we are only likely to be able to make such assessments for those entities which have been breached - and it becomes known that a breach has occurred.  The case of Panera being "the tip of the iceberg" is almost certainly an understatement. 
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.