Panera Bread Leaves Millions of Customer Records Exposed Online

  /     /     /  
Publicated : 22/11/2024   Category : security


Panera Bread Leaves Millions of Customer Records Exposed Online


Personal information exposed in plain text for months on Panerabread.com and the companys response failed to rise to the challenge.



Panera Bread, the fast casual restaurant chain that is the remote office for countless knowledge workers, is the latest business to suffer a major breach to a customer database — and the latest company to offer lessons in how not to respond to information from security researchers and analysts.
KrebsOnSecurity 
reported yesterday
on a programming error on Paneras website that left millions of customer records - names, email addreses, physical addresses, birthdays, and the last four digits of their credit cards - exposed in plain text, to a casual search. Thats bad enough, but when the details of the errors history began to come out, things got worse.
Dylan Houlihan, a security researcher,
notified Panera
on August 2, 2017 that the information was accessible. Initially, Paneras IT team simply didnt believe him. After additional correspondence, the companys director of information technology told Houlihan that they had verified his findings and remediated the problem.
Unfortunately, when Houlihan contact KrebsOnSecurity on April 2, the information was still available in plain text. The researcher said he contacted KrebsOnSecurity because Panera was showing no interest in, or effort toward, remediation.
The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place, says Paul Bischoff, privacy advocate at Comparitech.com, pointing out that customers names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months.
After KrebsOnSecurity contacted Panera, the website was taken offline and the information was no longer freely available, though Hold Security pointed out that it was still available to anyone who logged into the site — potentially, logging in using credentials that were openly available for 8 months.
This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible, says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. In the case of Panerabread.com, the site had an open API that anyone on the Internet could query and did not require any type of authentication.
Panera talked on camera to Fox Business almost immediately after the KrebsOnSecurity contact. In their on-camera interview, the company said that only about 10,000 records had been accessible, not the 7 million records claimed by Houlihan. Further research by Hold Security and
reported by KrebsOnSecurity
 indicates that Panera may have been correct about the Houlihan number being off; Hold Securitys estimate for affected accounts is approximately 37 million.
Paneras handling of its leak was a disaster. From dismissing responsible disclosure from the security community, to ignoring the problem for eight months, to racing to downplay the scope and say it had been remediated, Panera should be ashamed at how poorly it handled this from end-to-end, said Ben Johnson, CTO and co-founder of Obsidian Security in statement. It is better to fix the problem than to race to the media with news of a purported fix. If theres a silver lining here, its that we can have a new example how not to respond to a security leak.”
Related Content:
Hudsons Bay Brands Hacked, 5 Million Credit Card Accounts Stolen
Privacy: Do We Need a National Data Breach Disclosure Law?
PCI SSC Announces Changes to Qualified Integrators and Resellers Program
From DevOps to DevSecOps: Structuring Communication for Better Security
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the
security track here
. Register with Promo Code DR200 and save $200.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Panera Bread Leaves Millions of Customer Records Exposed Online