Have you ever noticed that most companies say, “We take your security very seriously” only after they demonstrably didn’t take your security all that seriously? The latest business to let its customers down is Panera Bread, a popular bakery chain, whose security countermeasures probably needed a little more time in the oven.
A huge flaw could expose as many as 37 million user accounts. That’s bad enough on its own, but what’s even worse is that Panera has known about the underlying flaw for eight months, and did not address it.
The frankly incredible story comes courtesy of security researcher Dylan Houlihan and his colleague Brian Krebs. Houlihan explained the full story in a detailed Medium post, while Krebs added additional commentary on his own blog.
To simplify a very complex issue: Anyone who’s ever signed up for a Panera account can leverage a flaw in its website to view another user’s information. This includes his or her username, phone number, birthday, and last four digits of a credit card — in addition to a full name, physical address, e-mail address and even your dietary restrictions.
It’s not as disastrous as giving up passwords or full credit card numbers, but an enterprising cybercriminal could do an awful lot with the information on offer. In fact, if you were so inclined, you could (eventually) find and log every user in the database just by looking up a user number, then adding 1 to it, until you hit the end of the line. Panera stored all the data in plain text, making it trivial to search and transfer.
What you can do (for now)
First off, the bad news: There’s no clear way to protect yourself from this potential breach, especially since the Panera website is currently down. Your best bet for right now is to wait and see what Panera does next, especially since the company issued a statement to Fox Business claiming that it is “working diligently to finalize [its] investigation and take the appropriate next steps.”
(This is also worth taking with a grain of salt, however, as the company claimed — in the same statement! — that the issue is resolved, and that the issue affected fewer than 10,000 customers. Both Houlihan and Krebs have pointed out that these statements are provably untrue. Fittingly, the statement begins with, “Panera takes data security very seriously.”)
Your best bet at the moment is probably to change your password on the Panera account (when the site goes back up), as well as any accounts in which you reused the password. There’s no evidence that the flaw revealed any passwords, of course, but it’s not that hard to track down old passwords from other data breaches and match them with usernames.
When you can, you may also want to log into your account on Panera’s website and delete as much personal information as you can. You may not be able to eliminate the account entirely — and it’s not clear how much data Panera stores that it doesn’t show you — but it’s at least a start. Even if you don’t think you have a Panera account, it’s worth double-checking, since it’s tied into the rewards program in the bakery’s physical locations.
Finally, you could always cancel the credit card that’s associated with your Panera account (if you can pinpoint which one it is). This is an extreme measure, and may not be necessary. But if your Panera account is linked with an older card, perhaps one that you seldom use, canceling it isn’t the worst idea. You won’t notice potential fraud on an older card right away, and by time you find out, it might be too late to do anything about it.
Finally, although this doesn’t have any direct bearing on your account’s security, no retelling of Houlihan’s story would be complete without his absolutely mind-boggling encounter with Mike Gustavison, Panera’s director of security (for at least the next 20 minutes).
Houlihan discovered the Panera website flaw back in August, and contacted Panera right away. The “firstname.lastname@example.org” e-mail address flat out did not work, so Houlihan attempted to send Gustavison messages through Twitter and LinkedIn. He received no response. When Houlihan finally tracked down Gustavison’s e-mail address (through an industry contact), the response was less than encouraging:
“My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored,” Gustavison replied. (Punctuation is apparently not in vogue at Panera HQ.) “As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent … I will not be duped, demanded for restitution/bounty or listen to a sales pitch.”
Even discounting the unbelievably snide tone (which Houlihan rightly called “not appropriate whatsoever”), what Gustavison said is simply not true. Big companies like Google, Facebook and Apple accept unsolicited bug reports from independent security researchers all the time, and even offer monetary bounties for them. It’s worth pointing out that Houlihan did not request a bounty in his initial e-mail; he simply wanted to discuss the flaw.
After the initial miscommunication, Gustavison assured Houlihan that he would fix the issue as soon as possible. However, Houlihan rechecked the database every month since August, and found that it still persisted. Having lost patience with Gustavison, Houlihan posted his findings on Pastebin and shared them with the world via Medium.
It’s worth noting that before he joined Panera, Gustavison was the director of security operations at Equifax. Sometimes, you just can’t make this stuff up.