Security

Panera Bread website leaked customer data for 8 months, 'fix' failed to patch flaw

Representatives from the company downplayed the issue on Fox Business Network after Brian Krebs broke the story.

Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Security researcher Dylan Houlihan first contacted Panera in August 2017 to disclose the vulnerability, but the company only attempted a patch after public disclosure Monday.
  • Veteran security reporter Brian Krebs estimates that 35 million accounts are subject to the vulnerability.

The website of the American bakery/café Panera Bread was completely taken offline late Monday night following the disclosure of a major security vulnerability allowing any user to access nearly all of the customer data on the site.

The disastrous sequence of events leading up to the website being taken offline dragged on for months and involved security researcher Dylan Houlihan, Panera Bread Director of Information Security Mike Gustavison, CIO John Meister, veteran security reporter Brian Krebs, and the Fox Business Channel.

After unsuccessful attempts to reach any contacts at Panera Bread through email, Twitter, and LinkedIn, Houlihan sent an email to Gustavison (after formal introduction through a mutual connect) on August 2, 2017 about the existence of a flaw on Panera Bread's website that allows anyone to access the full name, email address, phone number, and the last four digits of the saved credit card number of any user of the Panera Bread website—including Houlihan's own information.

The next day, Gustavison sent the following email, according to screenshots of the exchange published by Houlihan:

My team received your emails however it was very suspicious and appeared cam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.

After the exchange of PGP keys, Houlihan sent a description of the vulnerability, and followed up several times to ensure that the description was read. On August 9, 2017, Gustavison indicated the company was "working on a resolution."

As of yesterday, the vulnerability was still unpatched, which prompted Houlihan to disclose the vulnerability publicly on Pastebin. Houlihan noted in the disclosure that "Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you'd like, up to and including the entire database."

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

At this point, veteran security reporter Brian Krebs contacted Panera Bread CIO John Meister before publishing his article detailing the vulnerability. Shortly after publication, Meister reached out to Fox Business Network to announce that "this issue is resolved," adding that "Following reports today of a potential problem on our website, we suspended the functionality to repair the issue." As shown above, the reports of the vulnerability originated in August. The only action taken was after the release of the Pastebin disclosure and the article by Krebs.

This "resolution," in reality, did nothing more than hide the customer information from guests—any customer who signed in to the website would be able to exploit the same flaw. The statement by Meister claims that "fewer than 10,000 consumers have been potentially affected" by the vulnerability, though Krebs noted in a tweet that the company had no number when he contacted them before the publication of his article.

Further research by Krebs indicated that the vulnerability extends to the service website Panera operates for catering companies—in addition to in-store sales, the company also bakes bread for caterers—which puts estimates at 37 million accounts compromised by this vulnerability.

Of additional interest, Panera Bread's director of information security, Mike Gustavison, was the senior director of security operations at Equifax from January 2009 to June 2013, according to his LinkedIn profile. In September 2017, Equifax disclosed that their systems were compromised. As of this February, reports indicate that 145.5 million people have had names, Social Security numbers, dates of birth, and addresses exposed by the data breach.

While breaches that allow hackers to retrieve personally identifiable information often result in class-action lawsuits that are inevitably dragged out for years, Travis Smith, principal security researcher at Tripwire, noted that: "Even if there was some sort of litigation, those who were affected can really only count on adding another year of free credit monitoring. While this is personally identifiable information, the sad fact is that the only real new piece of information attackers have now is that you like sandwiches."

Also see

panera.jpg
Image: iStockphoto/krblokhin

About James Sanders

James Sanders is a technology writer for TechRepublic. He covers future technology, including quantum computing, AI, and 5G, as well as cloud, security, open source, mobility, and the impact of globalization on the industry, with a focus on Asia.

Editor's Picks

Free Newsletters, In your Inbox