Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Panera Bread Leaves Millions of Customer Records Exposed Online

Personal information exposed in plain text for months on Panerabread.com and the company's response failed to rise to the challenge.

Panera Bread, the "fast casual" restaurant chain that is the remote office for countless knowledge workers, is the latest business to suffer a major breach to a customer database — and the latest company to offer lessons in how not to respond to information from security researchers and analysts.

KrebsOnSecurity reported yesterday on a programming error on Panera's website that left millions of customer records - names, email addreses, physical addresses, birthdays, and the last four digits of their credit cards - exposed in plain text, to a casual search. That's bad enough, but when the details of the error's history began to come out, things got worse.

Dylan Houlihan, a security researcher, notified Panera on August 2, 2017 that the information was accessible. Initially, Panera's IT team simply didn't believe him. After additional correspondence, the company's director of information technology told Houlihan that they had verified his findings and remediated the problem.

Unfortunately, when Houlihan contact KrebsOnSecurity on April 2, the information was still available in plain text. The researcher said he contacted KrebsOnSecurity because Panera was showing no interest in, or effort toward, remediation.

"The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place," says Paul Bischoff, privacy advocate at Comparitech.com, pointing out that customers' names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months.

After KrebsOnSecurity contacted Panera, the website was taken offline and the information was no longer freely available, though Hold Security pointed out that it was still available to anyone who logged into the site — potentially, logging in using credentials that were openly available for 8 months.

"This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible," says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. "In the case of Panerabread.com, the site had an open API that anyone on the Internet could query and did not require any type of authentication."

Panera talked on camera to Fox Business almost immediately after the KrebsOnSecurity contact. In their on-camera interview, the company said that only about 10,000 records had been accessible, not the 7 million records claimed by Houlihan. Further research by Hold Security and reported by KrebsOnSecurity indicates that Panera may have been correct about the Houlihan number being off; Hold Security's estimate for affected accounts is approximately 37 million.

"Panera's handling of its leak was a disaster. From dismissing responsible disclosure from the security community, to ignoring the problem for eight months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end," said Ben Johnson, CTO and co-founder of Obsidian Security in statement. "It is better to fix the problem than to race to the media with news of a purported fix. If there's a silver lining here, it's that we can have a new example how not to respond to a security leak.”

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/4/2018 | 9:44:20 AM
Panera symptomatic
Thank you Curtis, for posting this report. 

In itself, the breach, the compromised data, and the response may seem like small potatoes compared to the mega breaches of the past few years.  However, this event is symptomatic of a problem well beyond the scale of any such incident.  There are a number of pertinent issues to consider; but for the moment, think about this: a restaurant chain has taken on the data security responsibilities which a few decades ago would only be expected of gevernments, financial institutions or defense contractors. 

In the case of Panera Bread, it is evident that they had not acknowledged the full extent of such responsibilities - and yet, what they had done to secure their data may well have been up to or beyond that of most entities of similar scale.  "May well have" because we are only likely to be able to make such assessments for those entities which have been breached - and it becomes known that a breach has occurred.  The case of Panera being "the tip of the iceberg" is almost certainly an understatement. 
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19642
PUBLISHED: 2019-12-08
On SuperMicro X8STi-F motherboards with IPMI firmware 2.06 and BIOS 02.68, the Virtual Media feature allows OS Command Injection by authenticated attackers who can send HTTP requests to the IPMI IP address. This requires a POST to /rpc/setvmdrive.asp with shell metacharacters in ShareHost or ShareNa...
CVE-2019-19637
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19638
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function load_pnm at frompnm.c, due to an integer overflow.
CVE-2019-19635
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer overflow in the function sixel_decode_raw_impl at fromsixel.c.
CVE-2019-19636
PUBLISHED: 2019-12-08
An issue was discovered in libsixel 1.8.2. There is an integer overflow in the function sixel_encode_body at tosixel.c.