Panera Bread, the U.S. chain of bakery-café fast casual restaurants, sits on Forbes’ list of the most trustworthy large caps in America, but its recent handling of a months-long customer data leak is calling its trustworthiness into question.
Krebs on Security published an article earlier this about week about a troubling security vulnerability that researcher Dylan Houlihan discovered on Panera Bread’s website, Panerabread.com The company’s site leaked millions of customer records – including names, addresses, emails, birthdays and the last four digits of credit card numbers – for at least eight months before it was finally taken offline this week following notification by Brian Krebs.
Houlihan had originally sent emails to the company back in August 2017 to alert them to the problem, which Krebs posted along with his report. They indicate that Panera’s director of information security, Mike Gustavision, dismissed the report as a likely scam at first. However, it seems as if the company then validated Houlihan’s discovery and told Houlihan they were developing a solution.
Brian Krebs reported, however, that as late as this week, the site was still continuing to leak customer records in plain text; and with little effort involved, the records could be indexed and crawled by automated tools. Krebs found out about the problem after Houlihan contacted him Wednesday, immediately verified it and called Panera’s chief information office John Meister to alert him. The site then briefly went down, and is now fully back online minus the leaking data.
Houlihan said he was relieved as he had continued to check on the flaw regularly and “was pissed” because “the flaw never disappeared”.
Houlihan worked out that the data could be taken from the site in bulk, potentially affecting 7 million customers who registered their details to the Panera site to place an order for pick-up or delivery.
“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” Houlihan said.
The database also allows anyone to search for customers via a range of data points, including by phone number.
In a written statement, Panera said it had solved the problem within two hours of being contacted by KrebsOnSecurity; however, it did not explain why it took eight months to fix the issue after being notified by Houlihan.
Links shared by Hold Security following the Krebs story suggest that the data breach may be far larger, and extend to Panera’s commercial division, which servers a large number of catering companies. The number of customer records exposed in the breach now seems to exceed 37 million.