What seems incredible is not only the constant probing and cyberassaults on commercial entities' data but how too many businesses, the latest Panera Bread, continue their lax handling of customer information.
The restaurant chain's web site exposed millions of customer records – including names, email and home addresses, birthdays and the last four digits of customer credit card numbers – for at least eight months according to Brian Krebs in his blog KrebsOnSecurity. The data contained records for online customers of the St. Louis-based company, which has more than 2,100 North American locations.
KrebsOnSecurity learned about the breach from security researcher Dylan Houlihan, who said he initially notified Panera about the customer data leakage on August 2, 2017.
“Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort,” Krebs wrote.
Panera stated it resolved the problem and downplayed the breach's severity, asserting it “only” affected 10,000 records but Krebs observed incremental customer numbers indexed by the site suggested it may be higher than seven million.
Here is a digest of comments from several cybersecurity experts:
A.N. Ananth, chief strategy officer, Netsurion, a St. Louis-based managed security services provider for multi-location businesses, said, “This weekend it was Saks and Lord & Taylor getting hit for 5 million credit card accounts at their POS, and today its Panera Bread's website inadvertently leaking data. The sad fact is that if you are a retailer or restaurant, the sharks are circling.”
Anthony James, chief marketing officer at the San Jose, Calif-based cloud security firm CipherCloud, stated, “Millions of Panera Bread customer records potentially leaked, and most amazing, this went on for at least eight months. This breach is not unusual and mirrors many recent headlines where misconfigurations occur.” He added, “What can others do to ensure they do not become tomorrow's headline? Add the necessary security layers to build zero trust into the systems automatically.”
Willy Leichter, VP of marketing at San Jose, Calif.-based cybersecurity company Virsec maintained, “Once again we see a large organization not taking security seriously enough, not reacting immediately when notified of a possible leak, and not promptly notifying customers that their data was exposed. Ongoing events like this will only heighten calls for a national standard on breach notification laws.”
“A company can spend millions on the latest and greatest security technologies and have the most impenetrable defenses known to man. But when you leave the front door open, none of that will matter.” Travis Smith, principal security researcher at Portland, Ore.-based IT security firm Tripwire held. Smith explained how breach fatigue and the darknet's accumulated data mean people outraged today will not even remember it happened next week and the only real new piece of information attackers have now is some individuals like sandwiches.
Terry Ray, CTO of Redwood Shores, Calif.-based cybersecurity company Imperva indicated, “It's never a good day for companies when there is a proven data breach or data made available long-term, as the Federal Trade Commission can easily get involved and ask simple questions to which you don't have complete answers.”
“This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible,” Mounir Hahad, head of Juniper Threat Labs at Sunnyvale-Calif. based Juniper Networks, said, “The site had an open API that anyone on the internet could query and did not require any type of authentication.,”
Paul Bischoff, privacy advocate at the U.K.-based security testing company Comparitech, “The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix but should have never occurred in the first place.” He also warned against signing up for loyalty programs because It is very difficult to know whether a company takes information security seriously.
Tim Erlin, VP, product management and strategy at Tripwire, recommended, “Don't just criticize the response; use the incident as a model for how your own organization might respond.”
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.