Panera Breach Response (Or Lack Thereof)

“Panera maintains reasonable physical, electronic, and procedural safeguards to protect your Personal Information.” This is the first line of the security section in the Panera Bread privacy policy. Unfortunately, Panera is not living up to even a basic standard, let alone a reasonable standard, of data protection.

On August 2nd, 2017, security researcher Dylan Houlihan contacted Panera to let them know they were leaking customer data on their website. Mr. Houlihan’s report was met with skepticism from Panera’s Director of Information Security, and thought to be a scam. Undeterred, Houlihan followed up and a week later they seemed to acknowledge the issue and stated they are working on a solution.

Fast forward to April 2nd, 2018, eight months to the day Houlihan reported the issue, and the issue was still present on the Panera website. At this point he contacted Brian Krebs of the influential blog, KrebsonSecurity about the issue. Mr. Krebs spoke with Panera’s Chief Information Officer, shortly after being contacted.

Per KrebsonSecurity, “In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with Houlihan.”

“Panera takes data security very seriously and this issue is resolved,” the statement reads. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”

Making matters worse, Panera provided a statement stating that only 10,000 customer records were exposed. @holdsecurity quickly countered this number by noting that 7 million records were exposed. As of last count, the number of records affected by this breach is in excess of 37 million.

Mr. Houlihan provides a recap of the situation with an excellent Medium post. In it he highlights an excellent point. Even though Panera is today’s punching bag on security slip ups, much like Equifax, Yahoo, and others before. The bigger point is that these types of breaches will continue to happen.

The high profile of breaches over the past couple of years has brought cyber security to the forefront of everyone’s minds. No longer is it just a concern of the IT department. Unfortunately, just because more people have a higher awareness of the need for improved data security, taking action on it is not happening as effectively as we would all hope.

In addition to Panera ignoring a known data breach, last week Boeing fell victim to WannaCry, a well known and highly publicized ransomware that has had a known patch available for a year. So with all of the attention and risk associated with a data breach, why are we still falling down when it comes to good cyber hygiene?

Perhaps there is still too much of the ‘it won’t happen to us’ mentality. Or maybe some of the basics of security, like timely patching, still get de-prioritized due to a lack of resources or time. To be sure, there’s no single reason that’s easy to fix. Improving data security is a continuous process and requires an ongoing, ever evolving approach to keep up with the latest attack vectors. What companies can do is prioritize and invest in security.

Panera’s saga also highlights an aspect that is important for any company who has been breached, be honest. The damage has been done. Misleading people about the depth or breadth of a breach only makes matters worse. Instead of trying to downplay your role in exposing customer information...take your medicine, fix it, and improve your security protocols to reduce the risk of it happening again.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.