Krebs on Security broke the story a couple days ago about a data breech that occurred through the Panera Bread website. Panera is alleged to have leaked customer data through an online ordering app at the website, panerabread.com. Apparently, when a customer created an account to order food online, the customer information was stored in plain text and accessible by anyone.
Interestingly, Krebs provides an email send to Panera’s Director of Information Security Mike Gustavison from a security researcher who discovered the problem on August 2, 2017. Gustavison’s initial reaction to the researcher’s notification was a scolding and curt response;
“My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty, or listen to a sales pitch.”
The complete email chain is published on Dylan Houlihan’s blog. Houlihan discovered and immediately reported the vulnerability. Viewing the email chain is a wonderful exercise in ‘How NOT to handle a security researcher reporting a security breech to your company.’ Do you think anyone responsible for cyber security at Panera, that does $5B in sales annually with millions of customers, would take 5 minutes to at least look? Mishandled.
Immediately a disparity between Krebs and Panera became apparent over the number of customers affected. According to Panera, the number stands at 10,000, but Krebs and his sources place the number in the millions. I suspect both numbers will moderate toward a middle number somewhere but here’s the biggest problem I see so far – there’s no mention of the breech on the Panera website.
I take issue with Panera’s handling of the incident so far; ethical transparency and the SEC. Why can’t Panera issue a statement on their website acknowledging the issue, the mistakes they made and the fix they completed? Fortunately for them, Panera is private company and not subject to the Security Exchange Commission and shareholder notifications. They’re just not very transparent.