Panera Bread's breach response: Chew on this infosec fail

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

Panera Bread, the “fast-casual” restaurant chain, knew it had a gaping hole in its customer database for at least eight months, but seemingly did zip about it.

That is, until the press got hold of the story, natch. But the resulting PR response was about as weak as the technical one was late.

Read on to learn how not to respond to an infosec incident. In this week’s Security Blogwatch, we knead help.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  practical magic

State of Security Operations 2018: Go Inside World SOCs

How not to bake up a response to a data breach

All aboard the Brian Krebs cycle—Panerabread.com Leaks Millions of Customer Records:

Panerabread.com … leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number. … Security researcher Dylan Houlihan … initially notified Panera about customer data leaking from its Web site back on August 2, 2017.

Fast forward to … exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.

The vulnerabilities also appear to have extended to Panera’s commercial division which serves countless catering companies. … The number of customer records exposed in this breach appears to exceed 37 million.

In a written statement, Panera said … “Panera takes data security very seriously. … We suspended the functionality to repair the issue.” [However] Panera had basically “fixed” the problem by requiring people to log in to a valid user account … in order to view the exposed customer records.

Wait. Pause. Did Panera Bread seriously take that immortal PR line? Dylan Houlihan scoffs—No, Panera Bread Doesn’t Take Security Seriously:

Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months. … Worse still, the vulnerability was not fixed at all — which means the company either misrepresented its actual security posture to the media to save face or was not competent enough to determine this fact.

[In an] email exchange with Panera Bread’s Information Security Director … I am accused of being a scam artist after sending a polite email informing a security professional of a security vulnerability in their software. … The response I received is not appropriate. … There is never a reason to begin a conversation like that by being so defensive.

After I was reassured this would be fixed, I checked on this vulnerability every month or so. … Eight months go by. … I’m fed up with the lackluster response, so I decided to publish it. … You can just increment that number sequentially, and you’ll grab every single user in the database.

Panera Bread’s ordering portal was down for an hour to patch the issue. … But it wasn’t resolved! It was clearly, definitively, not resolved, despite the fact they clearly said it was.

Until we start holding companies more accountable for their public statements with respect to security, we will continue to see statements belying a dismissive indifference with PR speak. [But] we need to take Panera Bread’s actions as symptomatic of a much larger issue with security reporting and compliance.

And the absolute kicker! … The Director of Information Security who I reported this to, used to work at Equifax from 2009–2013. … It’s easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.

If you are a security professional, please, I implore you, set up a basic page describing a non-threatening process for submitting security vulnerability disclosures. … Make sure this is immediately read by someone qualified and engaged to investigate those reports. … You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.

Troy “@troyhunt” Hunt hunts for an angle:

“Panera takes data security very seriously” - Bull. ****. This is the sort of incident regulators need to throw the book at. It’s one thing to have a vulnerability, but it’s quite another to ignore it and claim you’re taking it seriously.

All we have on the record at present is [the Panera director of infosec] acknowledging the issue then nothing happing. So what do we want? Transparency. If he was held back by C-level execs then let that come through because right now, it doesn’t look good for him.

Do you work in incident response? Read @RayRedacted’s response to the incident: [You’re fired—Ed.]

If you work in Incident Response, you should read this article so you can see how NOT to respond to a breach. Panera Bread’s response nearly makes Ashely Madison’s response look ethical by comparison.

What price responsible disclosure? Heed the warning of Ms. Smith:

You know how upsetting it is when a vulnerability is publicly disclosed before a company has time to resolve the issue? Yet Panera’s choice to be unresponsive to Houlihan’s disclosure … is why some researchers won’t play this game and choose to disclose publicly.

BTW, did someone say 37 million? Hold Security digs out a pocket calculator:

The customer ids go all the way up to 41m+

What about the consequences for Panera? hyades1 just laughs:

Those of us who care about incidents like this are increasingly painted into a corner. The sheeple, on the other hand, just don't care. If they get a chance to trade their contacts list for 20 "reward points", they'll do it in a heartbeat. If you're on that list, too bad.

And companies like Panerabread continue to get away with this kind of nonsense.

Just once, I would love to see somebody whose family was affected by something like this put the entire lives of the offending corporation's board on-line. … See how they like it when they face the same sort of exposure they inflict on others.

But why? Raymond Wong says it’s because LOL security:

After a series of emails and false accusations claiming he was a scammer or was interested in a bounty … Panera Bread’s Information Security Director finally responded and said they were working on a resolution.. … Eight months roll by … and nothing happens.

We've reached out to Panera Bread for comment on why it ignored Houlihan's warnings and failed to fix the flaw for eight months. We [did not] hear back.

So Daniela Galarza offers her own theory:

Perhaps the sandwich company’s relative success with its mobile ordering and payment systems was too good to put the brakes on. Then again, longstanding consumer trust might just supersede that.

For edumacational purposes, what was the vuln, anyway? Here’s Thomas Claburn—baguette biz finally rises to security obligations:

Fetching millions of accounts via query could be a challenge if Panera used a more secure … account numbering scheme. But Panera implemented the opposite: an easily guessable … scheme by which anyone with basic coding skills could hit the account API endpoint – https://delivery.panerabread.com/foundation-api/users/uramp/1234567 – and iterate through every database entry [sequentially].

Meanwhile, We’ll always have Sam Therapy:

So, basically, their security is toast?


The moral of the story?

No service is perfectly secure, but white-hat researchers are on your side. What can you learn from others’ mistakes?

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

And finally …

A Magician Comes Home After a Long Day of Work

 Stick with it for all 40 seconds


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Topics: Security