“The security aspect of cyber is very, very tough,” a man once said while talking incoherently about cybersecurity and online threats. But that’s still a fact. Cybersecurity is difficult, especially if you don’t care about fixing critical issues that would allow hackers to steal sensitive data belonging to millions of customers.
Panera Bread did apparently just that. It ignored warnings that its website might be leaking, leaving the vulnerability unpatched for eight months. When it became clear that the public would find out about it, the company came forward saying that 10,000 customers may have been affected by the security issues. The number, it turns out, may be closer to 37 million than to that 10,000, which appears to be an arbitrary amount.
It all started early last August when security researcher Dylan Houlihan notified the restaurant chain that its website was leaky. He discovered that user data for any customer who signed up to order food online or have it delivered, was available in plain sight. Information including names, emails, physical addresses, birthday addresses and the last four digits of a customer’s credit card number could be obtained by anyone, browsing through the site. Panera loyalty card numbers were also exposed in the database. All that data was available in plain text form, and hackers could have accessed it pretty easy.
Houlihan’s warning was dismissed as a scam initially. Then, Panera Bread’s director of information security Mike Gustavison acknowledged the issue and told him that the company is working on a resolution. Hilariously, Gustavison worked at Equifax from 2009 to 2013 as a Director of Information Security.
Oh look,the guy my source initially notified at @panerabread EIGHT MONTHS AGO — their dir. of info security – was senior dir. of security operations at Equifax until 2013. Shocker. https://t.co/kLepEToKqr
— briankrebs (@briankrebs) April 2, 2018
That never happened. Security expert Brian Krebs, who runs the respected cybersecurity blog Krebs on Security, talked to Panera’s chief information officer John Meister earlier this week. That’s when Panera took the website offline briefly to fix it. The fix, apparently, was to block that web page with a username and password prompt.
Panera said there’s no evidence “ of payment card information nor a large number of records being accessed or retrieved.” Panera said that it fixed the problem within two hours after Krebs contacted them, but did not address the reason why it left the data out in the open for eight months. The company then gave Fox News a statement in which it said that only 10,000 customer records were exposed.
Discoveries made by Hold Security revealed that the breach may have affected at least 7 million accounts. The breach may also involve Panera’s commercial division which serves catering companies. The total number of exposed records may reach 37 million.
The security aspect of cyber is even tougher if you ignore it for months.
What you need to do is make sure that, well, nobody accessed any of your online accounts in the past eight months with data that may have been extracted from Panera Bread’s website to help them impersonate you. You should also come up with new passwords for your Panera Bread account and for every other online service you use with the same combination of usersname and password. Just to be on the safe side.