Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed
from the trust-no-one dept
Another day, another security breach. Another day, another security breach handled badly by the company leaking data. Another day, another security researcher being treated like garbage for attempting to report it. Etc. Etc.
The victim perpetrator here is Panera Bread. Researcher Dylan Houlihan informed Panera Bread its online ordering service was leaking data. This notification happened months ago.
In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.
Houlihan emailed Mike Gustavision — then Panera’s head of security — about the vulnerability. Like many other discovered data leaks, all a user had to do was alter digits in company’s online ordering site to view other people’s personal information. Users did not even need a Panera account to do this.
Houlihan’s notification attempt was greeted with derision by Panera’s security head. [Click for a larger version.]
Dylan,
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.
Eventually, Gustavision provided a PGP key and allowed Houlihan to send him info on the site’s vulnerability. But, as Houlihan points out, this is no way to treat someone reporting a possible breach. Not only was the immediate response needlessly combative, the company’s response to the notification was to do nothing until it was publicized by other security researchers.
This was contrary to Gustavision’s statements to Houlihan, which claimed Panera’s security team was “working on a response.” That was the claim last August. Houlihan continued to check the site since his own information was included in what was exposed and nothing changed until April of this year, eight months after being notified.
Somehow, Panera was magically on top of the situation when it went mainstream. After Brian Krebs spoke to the company’s CIO about the breach, Panera briefly took its site offline for maintenance. It then declared it had fixed the hole within two hours of notification, glossing over the fact it had been notified eight months earlier and done nothing. It also downplayed the problem as only affecting a small portion of Panera customers.
Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.
In essence, it lied to press outlets seeking comment. Security researchers noted the problem hadn’t even been completely fixed yet.
Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at panerabread.com in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).
And it was far, far bigger than Panera publicly claimed. Krebs initially estimated the exposed records at 7 million. Additional research by Krebs showed multiple divisions of Panera were affected by the same vulnerability (like its online catering service). After examining APIs used by Panera’s online services, Krebs estimates close to 37 million records have been exposed.
What will Panera learn from this? Whatever it does learn won’t spread to other companies, that’s for certain. Breach after breach has shown us companies are willing to shoot the messenger, cover up the damage, ignore repeated notifications, and obfuscate when breaches are finally exposed. Panera didn’t handle breach notification worse than other companies have. It just did as little as possible until forced to confront the problem. This mindset is shared by far too many entities. They love scooping up personal data, but not the security responsibility that comes with it.
Filed Under: data breach, leaks, security
Companies: panera
Comments on “Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed”
"I don't get it, why didn't anyone tell us beforehand...?"
And yet another perfect example of why it’s useless to contact a company with security flaws, rather than just ignoring it or, if you want to force the issue, anonymously making it public and forcing them to scramble to fix it.
The one upside to this is that while they brushed him off initially, and then ignored him after that, at least they didn’t try to sue him to shut him up as others have done. The fact that this is an unexpected positive however shows just how risky security researchers and those that try to help out have it, and how utterly insane so many companies can be when it comes to dealing with security.
This sounds like a very insecure man who has a stake in at least 8 time shares he can’t use.
An obvious "scam" says a real-life Inspector Clouseau
… because every company’s head of online security surely must know that whenever someone requests a PGP key, it’s basically no different from some Nigerian asking for your bank account number.
PGP Key
The fact that he makes a stink about exchanging PGP keys to facilitate secure data sharing tells you pretty much everything you need to know about their security philosophies.
Re: PGP Key
Well, it is good that he was being careful with sharing public pgp keys. You do not want those things to be out and shared in public do you? Besides, it is not like you can just sit down and generate those things randomly. In some situations you actually have to use a command line to do that sort of thing!
Re: Re: PGP Key
Use a command line? Only hackers use those!
Mechanical
Really this is no different than any other facet of business.
Even if there are laws inspectors and penalties corporate types will avoid and circumvent till their backside is cooling in a jail somewhere.
Be it wages, saftey for employees or customers or just the general public being put at risk, they font care up and until their neck is in the noose.
Head knocker
And I just signed up a couple weeks ago. Looks like I just hit my head on a low-hanging breach. Should have ducked, I guess.
Act Proactively
I have a problem with the way they dealt with this because a software can have a bug or something had been ignored at first but they should act proactively.
If it doesn’t cost then companies are not going to start sanitizing their security practices. Place hefty fines for mishandling breaches or have people leave in droves as the norm and you’ll see companies getting their acts together.
There’s no incentive to do things right from the businesses perspective.
Sympathetic
I get so many sales pitches at my work address, I don’t blame that guy for that first response at all. If a sales guy could get through just by claiming to report a vulnerability, you can bet lots of sales folks would do that. He explicitly says, “I am will to discuss…”. We should really be looking at how that next conversation went, rather than this one.
It’s in the employee’s interest to ignore notifications like this. If he does his job and brings it up to higher management, he’s liable to get thrown out of the company. They’ll investigate him, find something or invent something, and end the issue like that while sending a message to others.
How do I know this? Happened to me. Career poof!
Re: Re:
I’d rather get fired doing the right thing and slip off into obscurity than have my name associated with a major breach.
Not just a breach but ignoring a breach then handling it badly.
Mike Gustavision better just wipe his tenure at Panaera Bread from his Resume and hope nobody remembers his name. I wouldn’t hire this guy to image machines.
Re: Re: Re:
That was one of the reasons I gave for why I brought it up to them. I would not allow my name to be attached to a worldwide scale data breach.
However, that said, his best moves are to either ignore it or quit immediately. By responding so poorly, his professional name is forfeit. If he ignored it instead, he could say that he didn’t receive the notification because it was thought to be spam. If he brought it to higher management, he would become the problem.
Losing your job for doing the right thing is no joke. It has been a life altering event for me. I see the world completely differently. I’ve thrown away religion. I lost nearly all of my friends. When I called for a reference from one of my closest colleagues, HR responded with a threat of harassment. I can say with full confidence that it is not worth it, just leave immediately and do not look back.
Re: Re: Re:
Mike Gustavison used to be the Chief Security Officer for Equifax before he worked at Panera Bread. Let that sink in for a moment.
Re: Re: Re: Re:
Almost certainly why this story, now old, has been completely buried by St. Louis Post Dispatch.
Panera Bread was originally St. Louis Bread Company. Started in St. Louis.
Oh Woe Is Us!
“If only we had known then we’ve patched it!” They cry playing oblivious to the fact that in the same breath also shot the messenger who tried to warn them.
Seriously, these companies bully and intimidate security researchers who when they find an exploit do the right thing and try to tell said company so it can be fixed and how are they rewarded? Being ignored at best, lawsuits and jailtime at worst and these companies have the gall to ask why no one tried to warn them!
“If you can’t secure it, don’t keep it.” – Brian Krebs
Re: "It wasn't a problem until you told us about it."
Short-term it does make a twisted sort of sense, in the managerial ‘If I don’t know about the problem it’s not a problem’ way. Before being told about the problem the problem didn’t exist, it’s only after being told that now they have to deal with it, therefore the cause of the problem is not the vulnerability, it’s the person who reported it.
Long-term of course that kind of thinking and acting all but ensures that those that aren’t looking to exploit vulnerabilities will keep their mouths shut, such that the first time a company learns about a flaw is when it’s used against them, but that’s something for someone else to deal with, or even them but not now.
Re: Re: "It wasn't a problem until you told us about it."
And this is why I don’t signup for any company service unless it is absolutely necessary. Having an account with panera is not necessary.
Re: Oh Woe Is Us!
The researcher is lucky they didn’t shoot harder. Incrementing the number in a URL is what weev went to prison for.
Panera wont learn a thing, wont do a thing except lie further to (try) to cover it’s own ass and continue to blame the very person/people who tried to help it by warning of the problem. none of this would have come about had it not been for the USA govt and law enforcement being allowed to get away with blaming everyone else, every time a whistle blower exposed their wrong doings! and lets face it, there’s nothing more sacred than saving something that the govt and police want hidden!!
If they told the truth
They wouldn’t have made as much dough.
Because before the breach, business was always rising.
And that’s not the yeast of it!
Prior to his illustrious career at Panera, Mike Gustavison was Senior Directory of Security Operations at…wait for it…Equifax!
Re: Re:
I thought this was a joke… but holy hell.
His LinkedIn says he worked information security at both places.
Re: Re: Re:
What is his definition of work? Sitting in a chair and pretending to be a security professional is not working.
Dumb!
All these data breaches…that’s why I don’t even believe in computers
Until the cost of inaction > the cost of the PR spin, this will continue.
Imagine a law that allowed multipliers for the number of times they blew off people reporting the issue.
Imagine a multiplier for lying about number affected.
Imagine a multiplier blaming “hackers” to cover your own ineptness.
The public response to these things is getting muted because we literally expect some site to be leaking our shit every 3 days.
Remember when they would change the color of the rainbow alert system every 4 hours based on ‘chatter’ that they could never explain lest the ninja terrorists figure out we were spying on them???
These little shits screamed wolf enough that we stopped paying attention & we fret about the body parts around town, rather than hire a better wolf spotter & beating the ass of any kid who lies about a wolf.
Anyone?
Know why I dont like giving my info ANYWHERE ON THE NET???
Why I use Adblocker and NOSCRIPT??
AND WHY IN HELL FB wants me to use my REAL NAME???
"Everything" is insecure
The business issue is that websites are not perfectly secure; and the is no incentive to make them bulletproof.
The disturbing fact in this breach was so simple to demonstrate.
Pitched another way: All your competitors now have all your customer details! Yikes! That data is valuable!