The Panera Bread cafe and bakery chain, known for its sandwiches, coffee, and year-round broccoli cheddar soup, is suffering from a severe bout of self-induced digital indigestion.
Security researcher Dylan Houlihan says he notified Panera Bread, a chain of more than 2,000 stores in the United States, of a website vulnerability in August 2017. He said the site was leaking customers’ personally identifiable information, including usernames, first and last names, email addresses, phone numbers, birthdays, the last four digits of saved credit card numbers, home addresses, social accounts, food preferences, and dietary restrictions.
It’s the kind of information that scammers can use, along with leaked financial information, to create fake accounts and ring up fraudulent charges.
READ MORE ON VULNERABILITY DISCLOSURE
What’s in a bug bounty? Not extortion
How to attack security issues like Google and Microsoft just did
Bug bounties break out beyond tech
The dark side of bug bounties
As bug bounties proliferate, hacking contests maintain strong pull
When to disclose a zero-day vulnerability
When Houlihan attempted to warn Mike Gustavison, Panera’s information security director, about the data leak, Gustavison’s email response was to accuse Houlihan himself of running a scam.
“I have worked internally as a security engineer responsible for fielding random security reports like this from the outside,” Houlihan wrote in an April 2 blog post detailing his correspondence with Panera. “I have also submitted reports like this to companies, in bug bounties and as a courtesy with no expectation of a reward. I have been on both sides of the table. The response I received is not appropriate whatsoever.”
In an undated video for Internet content delivery company Akamai, since removed from the company’s website but still available on Archive.org, Gustavison says it’s possible to “oversecure” a website.
Gustavison and other Panera Bread executives proceeded to do nothing about the vulnerability for eight months. Houlihan, “fed up with the lackluster response,” gave his research to security reporter Brian Krebs, who then reported it on April 2. Once news of the leak went public, Panera pulled its website down, told news outlets that it had found fewer than 10,000 potentially affected customer accounts, and put the website back up two hours later.
“Panera takes data security very seriously, and this issue is resolved,” John Meister, Panera’s chief information officer, said in a statement to Fox Business that day. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information, nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”
Hours after Fox published that statement, subsequent research found that Panera executives had downplayed the potential scope of the leak by a factor of 4,100: According to Hold Security, up to 41 million customer accounts might have been involved.
“I have pressed federal agencies to develop vulnerability disclosure policies, and I strongly encourage businesses to adopt this best practice as well.”—Rep. Jim Langevin
Panera Bread’s site is back up, and it’s unclear at this point if the vulnerability has been fixed or what, if any, data remediation measures the company has taken. On Thursday, a security engineer at Amazon’s cloud service wrote on Twitter that the company has told its employees that no customer data was exposed.
Neither Panera representatives nor Houlihan responded to requests to comment further.
While it’s not clear whether Panera executives misled the public about the scope of the vulnerability intentionally or out of ignorance, it’s clear from their statements to Houlihan prior to April 2 that they were not taking his research seriously.
Ultimately, the potential harm associated with a data leak of a consumer-facing company falls on its customers—in Panera’s case, including Houlihan himself—as they become exposed to financial fraud and identity theft. And one way or another, companies are coming to terms with the reality that they need to better protect their customers against breaches—and prepare them for the consequences.
From 2015 to 2017, the number of Forbes 2000 companies that have a vulnerability disclosure process remained almost unchanged, according to a report by HackerOne, a vulnerability disclosure and bug bounty management company. Still, business is booming for HackerOne, which raised a $40 million Series C investment last year, and Bugcrowd, which scored a $26 million Series C investment on March 1.
The interest isn’t only from the private sector, of course. Federal agencies including the Food and Drug Administration, Federal Trade Commission, National Highway Traffic Safety Administration, National Institute of Standards and Technology, National Telecommunications and Information Administration, and the Department of Homeland Security also have devoted resources to vulnerability disclosure and bug bounty programs.
Rep. Jim Langevin of Rhode Island believes that Panera could have avoided the public fallout of the breach if there had been a nationwide breach disclosure law like the bill he’s submitted to Congress. He took Panera to task in a statement to The Parallax for not having “a standard vulnerability disclosure process.”
“I have pressed federal agencies to develop vulnerability disclosure policies, and I strongly encourage businesses to adopt this best practice as well,” Langevin wrote. “Panera has compounded its initial error by refusing to be transparent about its security practices, or the scale of customers’ data that was actually exposed as a result of the vulnerability. Consumers have a right to know if sensitive data about them has been stolen, which is why I have introduced legislation to provide a uniform data breach notification standard across the country.”
It’s inevitable that along with vulnerability disclosure and bug bounty discussions comes talk of punitive measures to force organizations to treat security concerns seriously. Proposed consumer protection legislation won’t be effective without stiffer penalties, says Mike Litt, the consumer campaign director at U.S. Public Interest Research Group.
“This is a responsibility question.”—Mark Weatherford, senior vice president and chief cybersecurity strategist, VArmour
Litt says the punitive measures don’t need to be as harsh as the fines associated with proposed legislation to force credit-reporting agencies like Equifax to take security more seriously. (If it had been law before last summer’s breach, Equifax would have been fined $1.5 billion after exposing sensitive data of 143 million Americans.). Regardless, there should be “more accountability… A lot of the states are taking the lead when it comes to data security and breach notification,” he says, but it’s “up to the state attorneys general to investigate.”
It’s incumbent on organizations across the public and private sectors to respond to vulnerability notifications with alacrity, says Mark Weatherford, senior vice president and chief cybersecurity strategist at VArmour, a data center security specialist. If they don’t, he says, the consequences could be far worse than a bad news day.
“This is a responsibility question. There [are] data breach regulations in place now that lay out fairly clearly what has to happen,” Weatherford says, adding that Panera received the leak information “on a silver platter.” Even if a vulnerability doesn’t potentially expose personally identifiable information, he says, “there’s an expectation on the consumer side of things that, if I give you my information, there’s going to be some level of protection of it.”
Weatherford, who describes himself as “not a fan of regulation,” says “there’s just simply no excuse” that “nothing was done” to address Houlihan’s report to Panera. It might be time for “enormous,” “devastating” penalties “to create a disincentive for not reacting,” he says. Or, at the very least, to “have a process for ingesting these reports.”
One way to get organizations to prioritize security without resorting to new laws is to force boards of directors and executives to be accountable for breaches, says Debra Farber, a data privacy and information security executive and entrepreneur.
“Once [breach prevention] becomes part of their fiduciary duty, they have take it more seriously,” says Farber, who served as Visa’s senior director of global public policy for security and privacy.
However, she says, the Panera situation should prove to any organization that taking “security seriously” isn’t the same as turning your industrial-strength public-relations blender on high for a day.