
Panera Bread did nothing about its customer data vulnerability for eight months - CiPHPerCoder
https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815
======
somberi
I had posted it on the other link as well (1), but since it is relevant to
this discussion, reposting it here:

Commenting only on the speed of response (or the glacial interpretation of it
in Panera's case): For companies operating in European Union, the General Data
Protection Regulation (GDPR) (2) mandates that such breaches need to be
disclosed under 72 hours. The implementation deadline for GDPR is by end of
May 2018 (~7 weeks to go).

Underarmor, a US-based sports apparel manufacturer, who operates in EU as
well, recently had a breach that affected 150-million users, and went public
within 3 days of discovering the breach (3).

I believe UnderArmor's case is the norm we can expect going forward.

(1)[https://news.ycombinator.com/item?id=16739753](https://news.ycombinator.com/item?id=16739753)

(2)[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)

(3)[http://www.bbc.com/news/technology-43592470](http://www.bbc.com/news/technology-43592470)

------
diziet
As someone who receives vague security emails from folks who say we have a
'vulnerability' and ask if we have a 'rewards program for bugs' and try to ask
'how much money I will be paid for the bug', Dylan's first email is very
legitimate and specific. It comes from a non-generic domain (ie, not a
"john.smith.1234@gmail.com" email), with an identity that could easily be
verified.

In fact, as someone who would work on the API facing side of things, even that
report would be enough to discover the areas to dig around and find the
vulnerabilit(y|ies). There must be an API or HTTP or some other endpoint that
takes in a user id, rewards card, zip code, phone number or something similar
and returns data for an arbitrary user(s). Let's audit all our endpoints and
see where the vulnerability might be.

I've also reported similar vulnerabilities before, and I have received a whole
range of responses.

~~~
sigmar
The reply to Dylan's first email is very bizarre. Is it just me or is asking
for a PGP key neither suspicious nor uncommon? It sounds like the least scammy
request possible. What scammer would want to go through the trouble of PGP
encrypting communication?

~~~
will4274
It makes perfect sense to me - he doesn't know what a PGP key is and just read
the word key.

------
ianbicking
"No, Panera Bread Doesn’t Take Security Seriously"

I didn't expect this to be an actual description of a security event, but just
a rhetorical observation: of course Panera Bread doesn't take security
seriously. There's no "security" in the name of their company. They are not in
the security business. I think they do actually take bread seriously. And
store location, and customer service, and stuff like that, because that's the
kind of business they are.

Because of PCI you can expect they probably do handle your credit card (except
apparently the last 4) reasonably well. Because of other regulations you can
expect they take food safety seriously. They take basic business operations
seriously because there's a bunch of professional business-runners, and they
know they really have to.

~~~
joering2
> I think they do actually take bread seriously.

No they don't. They admit on record using same additives as Subway mostly a
rubber-type chemicals invented by BASF that make bread more elastic, won't go
dry this quick and has longer shell-life. Basically when you eat their bread
some ingredients are the same of the tires your car was put on!

Further good read how horrible quality their food is:

[https://www.thealternativedaily.com/panera-bread-
additives/](https://www.thealternativedaily.com/panera-bread-additives/)

~~~
mthamil
You can't be serious about that link. It is a quack website that claims that
wheat and sugar are harmful additives! It also uses the number of ingredients
as a good metric of the healthiness of food.

------
harryh
Forget complicated questions about corporate policy, the costs of verifying
security, the limited negative impact that companies seemingly face when
problems like this happen. Those questions are definitely interesting, but
they're hard questions and I'm not in the mood for hard thinking right this
second.

What blows my mind here is the actions of a single person. The Security
Director got an email about a dead simple vulnerability in his company's
website/api. All he had to do was paste a single link into a browser to verify
that there was a big big problem. And he did nothing?

I simply can't understand that.

What was this guy doing every day? Did he have any sense of professional self
respect at all? Did he think it would just....go away? It's so confusing.

Do you think he....didn't know how to decrypt the PGP encrypted description?
And that he was too embarrassed to say so? In a weird way that's my most
charitable explanation.

~~~
irrational
Did you notice the part about his previous job as the director of security for
Equifax? He is obviously clueless about technology and security.

~~~
harryh
While I am sure that there are clueless people that have worked on the
security team at Equifax, I'm willing to bet that there have been good people
too. It's hard to sort out the good from the bad and what problems are
individual and what were systemic.

~~~
exabrial
Putting a person, who majored in music theory, into the Information Security
Officer position at a company of Equifax's size, shows how much they actually
regard your information as something important.

I actually dislike bringing this up, because I respect the people the have
gone through music education; while it doesn't pay in terms of salary, it's
certainly something they are passionate about and love dearly. But just as
they would not hire me to direct an orchestra, I would not hire them to secure
critical Financial systems. This isn't to say there is a fault with them, it's
just to say that we all have our strengths in certain areas.

~~~
wglb
This is clearly wrong. Do you know who Mudge is? Check out the wikipedia page
for him at
[https://en.wikipedia.org/wiki/Peiter_Zatko](https://en.wikipedia.org/wiki/Peiter_Zatko)
and note his degree.

~~~
irrational
Aren't we talking about Mike Gustavison? Does Peiter Zatko work at Equifax or
Panera?

~~~
wglb
We are apparently talking about _who majored in music theory_ and my point is
that is totally irrelevant.

------
joering2
First screen from the post [1]

 _[...] will never respond to a request like the one you sent [...]_

Dylan has not asked for a bounty or it wasn't a sales pitch! This Mike guy
could not even understand basic underlying tone of the message, not to mention
some technical issues the problem relates to. I hope Mr. Mike Gustavison is
NOT with the company anymore, or at least is off the public-facing keyboards!

[1] [https://cdn-
images-1.medium.com/max/2000/1*oJEZOkK6qtq2RreBN...](https://cdn-
images-1.medium.com/max/2000/1*oJEZOkK6qtq2RreBNgBQqQ.png)

EDIT: okay update from Kerbs twitter -- Mr. Mike used to work at.. Equifax :)

 _Oh look,the guy my source initially notified at @panerabread EIGHT MONTHS
AGO -- their dir. of info security - was senior dir. of security operations at
Equifax until 2013. Shocker._

Maybe he should open his own security company... with all of his experience.

~~~
CamperBob2
It's not hard to guess what's behind Gustavison's knee-jerk accusation of
extortion. With his '1337 security skillz, he will have been getting actual
extortion demands -- and probably paying them -- for a long time. Probably
more than one a day.

------
danso
Even with the other Panera-related threads that made the front page, this is a
good read because I was wondering how exactly (and how thoroughly) the
researcher attempted to contact Panera -- seems he went above and beyond just
trying a few emails to the customer support line. Panera definitely had plenty
of warning here.

------
gorbachev
Going three years uninterrupted free credit monitoring now. I'm so glad my run
will get extended courtesy of Panera.

~~~
driverdan
There's nothing in this leak that can be used to damage your credit.

~~~
AstralStorm
That depends on what the ratings were.

------
exabrial
For _this_ particular bug, I would have reported in anonymously in private and
given them 48 hours before I went public. Vulnerabilities are one thing: you
don't want to rush a patch and create more problems when you started with, and
it's safe to assume you don't know everything about the systems involved. But
direct data leakage is an entirely different matter.

------
mnm1
No shit. Name any company that does. Until there are serious consequences for
leaks like this, no company will take security seriously. There is no
incentive. Jail some executives and take their earnings and I guarantee this
will change. Short of that, or some other serious punishment, this isn't
really even news anymore. Self-regulating industry is a joke.

~~~
CiPHPerCoder
> No shit. Name any company that does.

Paragon Initiative Enterprises.

------
greggman
the only way security will ever be taken seriously us if there are fines for
leaking data. $1000 per user per incident. Nothing will ever happen otherwise.
There is zero incentive.

~~~
gruez
Great, now you've incentivized coverup of breaches.

~~~
smt88
Whistleblowers should be (maybe are?) given a cut of any fines that their
disclosure results in.

~~~
chias
If we're talking $1000 per impacted user as suggested by GP, then I'm
wondering just how small a fraction of the 37 billion dollar fine it would
take for me to swallow my morals and "accidentally" cause or approve changes
which cause a vulnerability like this, so I can then blow the whistle and
collect my check. As a security engineer, I doubt my net worth will ever reach
even 0.05% of that.

~~~
smt88
Whistleblowers should be compensated for uncovering intentional negligence and
violation of laws, not accidents. There should be a pattern of bad behavior
that the whistleblower couldn't create herself.

------
jtokoph
Video about how Panera's number one priority is protecting your data:
[https://www.akamai.com/us/en/our-customers/customer-
stories-...](https://www.akamai.com/us/en/our-customers/customer-stories-
panera-bread.jsp#7155)

Archives:
[https://web.archive.org/web/20180403215610/https://www.akama...](https://web.archive.org/web/20180403215610/https://www.akamai.com/us/en/our-
customers/customer-stories-panera-bread.jsp)

[https://archive.org/details/panera-security-
video](https://archive.org/details/panera-security-video)

------
joering2
Okay I tried to mimic the URLs in post to see if my own data is there. Whole
Panera website is down. Is it just me or everyone else? :)

If everyone - wonder if this is "effect of hackers news" :)

EDIT: down for everyone:
[http://www.isitdownrightnow.com/panerabread.com.html](http://www.isitdownrightnow.com/panerabread.com.html)

I guess the DO eventually take security seriously :)))

------
will4274
How far up the chain is Sr Director of Security at Equifax? That sounds 2 or 3
rungs from CEO? Or is it just corporate speak?

------
exabrial
Credit card numbers are sort of like symmetric keys... anyone that knows your
credit card number can also authorize transactions. Why can't we have ECDSA
instead?

~~~
AstralStorm
No, they also need CVV2 and expiration date. (That said, a 3 digit number is
easy to crack. The date is just 1 bit on top.) In more modern setups, there
are things like MasterCard Secure or Visa 3D Secure which require direct
authorisation with a token. (One time key, token hardware, phone secure
element token.) The tokens are much more secure than PKI without a password.

And then there are decent banks that will put suspicious and/or big
transactions on hold for phone authorization. And you cannot change auth data
easily without knowing the account password and potentially again authorizing
changes with a token. (Remember to disallow changing data over the phone. Most
banks require extra work to enable phone account management anyway.)

And in any case you can dispute the suspicious transaction and probably get
notifications about these.

------
archgoon
How is this a dupe?

~~~
merricksb
This article
[https://news.ycombinator.com/item?id=16739753](https://news.ycombinator.com/item?id=16739753)
(which is linked from the top comment above) was posted 10 hours ago, is
currently in position 11 with over 250 votes and 73 comments, and includes
much of the same information, including screenshots.

------
snow_mac
Atleast their bread is better then their security...

------
jumelles
I would have thought that companies would have woken up by now to the idea
that security is important and worth the cost...

~~~
ams6110
Being charitable, I think the more likely explanation is that CTOs/CFOs do not
understand how easily these things can happen, and how much data can be
exposed by a "small" mistake.

One line of code can expose 30,000,000 records. That's hard to get your head
around if you are not a programmer.

~~~
djsumdog
From the description, this wasn't one line of code, this was a major design
oversight. Either nobody is security conscious on the dev team handling their
mobile/web services, or it's just one guy with no code review on major
components, or people who complained were tuned out, ignored, placed in low
priority, or some other totally irresponsible managerial action.

You have to have a lot of bad process in place for something like this to get
in.

------
tytytytytytytyt
"Hey @panerabread : before making half-baked statements..."

~~~
bonestamp2
The @ symbol reminded me... not sure if it's still true, but about a year ago
you could create a password that contained an @ symbol but you couldn't login
with it in their mobile app.

Also, sometimes when I give them my phone number for my loyalty card it works,
and sometimes it doesn't... an alarming number of times it doesn't work, all
of which makes me think they have some questionable IT practices going on. I
should have seen this coming.

------
mattmaroon
But they do take bread seriously, and their name isn't Panera security.

------
ythn
I don't really like these kinds of articles. It's like "Hey, look, publicly
shame this non-technology company that probably never gets bug reports for not
jumping to immediately fix my bug report!"

Seems (just a little) like bullying. I'm sure I could do the same to lots of
auto shops around my city that have really basic websites and then publicly
shame them for not investing enough in security even though security is the
biggest money sink ever that never gets fully solved.

~~~
nkozyra
Cannot disagree with this more. There was far more than due diligence
demonstrated here.

~~~
apetresc
You must be kidding. From all appearances they did absolutely nothing except
take their entire API down after 8 months.

~~~
nkozyra
You misunderstand. Due diligence on the part of those _reporting_ the
vulnerability.

