
Panerabread.com leaks millions of customer records - Thrymr
https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/
======
somberi
Commenting only on the speed of response (or the glacial interpretation of it
in Panera's case):

For companies operating in European Union, the General Data Protection
Regulation (GDPR) (1) mandates that such breaches need to be disclosed under
72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks
to go).

Underarmor, a US-based sports apparel manufacturer, who operates in EU as
well, recently had a breach that affected 150-million users, and went public
within 3 days of discovering the breach (2).

I believe UnderArmor's case is the norm we can expect going forward.

(1)[https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation)
(2)
[http://www.bbc.com/news/technology-43592470](http://www.bbc.com/news/technology-43592470)

------
crescentfresh
Good read outlining the timeline of events from the person who originally
reported the leak: [https://medium.com/@djhoulihan/no-panera-bread-doesnt-
take-s...](https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-
security-seriously-bf078027f815)

I found his initial interaction with their head of IT Security (very first
initial response) laughably appalling:

    
    
        Dylan Houlihan <dylan@breakingbits.com>
        to Mike, Geri Haight -
    
        Hello Mike et al,
    
        Thank you for making yourselves available. There is a security vulnerability on the delivery.panerabread.com website that 
        exposes sensitive information belonging to every customer who has signed up for an account to order Panera Bread online. 
        This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number.
        Moreover, the customers are easily enumerable which means an attacker could crawl through all the records.
    
        I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security), 
        I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
    
        Best regards,
        Dylan Houlihan
    

And their response:

    
    
        Mike Gustavison <Mike.Gustavison@panerabread.com>
        to dylan
    
        Dylan,
    
        My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is
        a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. 
        As a security professional you should be aware that any organization that has a security practice would never respond to
        a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will 
        not be duped, demanded for restitution/bounty or listen to a sales pitch.
    
        Regards,
        Mike

~~~
mr_overalls
"...demanding a PGP key"

This kind of incompetence directly endangers the privacy and security of
anyone who does business with Panera. And it's reminiscent of the kind of
incompetence that characterized the Equifax breach and other recent high-
profile hacks.

Maybe it's time that a subset of IT workers become professionally licensed and
liable, like engineers.

~~~
UberBoll
>it's reminiscent of the kind of incompetence that characterized the Equifax
breach

Go to Mike's LinkedIn and he is the former "ISO - Sr. Director of Security
Operations" for Equifax.

~~~
sli
I tell you, if I was this incompetent, I'd be homeless. Not in a cushy, high
paying corporate job.

~~~
praneshp
Which means he's not incompetent. He's competent, just not at information
security.

~~~
mr_overalls
Competent at MBA-speak, golf, and schmoozing, most likely.

------
ourmandave
Jesus Christmas. Honestly, how many more times can they steal my ID?

It's gotten so they have to run a diff to see if there's anything new.

~~~
perl4ever
Well, at least they didn't leak their customers' HIV statuses, unlike the
other security breach I read about yesterday...

~~~
ethanwillis
Was that the Grindr one? That's a HIPAA violation.. big fines..

~~~
detaro
HIPAA only applies to health-care providers and related entities, not random
other companies.

~~~
nkozyra
Related entities includes the broader "clearinghouse" entity, which has been
applied to debt collectors.

I agree it would be a stretch to make a claim but I'm not 100% sure it would
be fruitless.

~~~
emaginniss
A debt collector would apply since they have been contracted by a HIPAA-
covered entity and the data they have likely came from that source. Grindr is
completely unrelated to another HIPAA-covered entity and any health data you
give them is solely your responsibility... so don't.

------
ams6110
The standard "we take security very seriously" is starting to ring a bit
hollow.

~~~
rbobby
No worries.... thoughts and prayers will soon replace it.

------
fantunes
The guys responsible for the information security worked at Equifax before:
[https://www.linkedin.com/in/mike-
gustavison-b020426/](https://www.linkedin.com/in/mike-gustavison-b020426/)

Coincidence? Strike two?

~~~
yAnonymous
Could this be a scheme to sell customer data?

I assumed for some time that installing backdoors is a good way to sell
customer data you otherwise wouldn't be allowed to share.

~~~
FRex
Equifax didn't fall victim to a backdoor but to an outdated Apache Struts that
no one noticed.

~~~
yAnonymous
I'm not only talking about this particular case, but in general. "Accidental"
backdoors let companies share data they legally couldn't share.

Look at Facebook and how their API was surprisingly abused for years until
they noticed it.

------
kevin_thibedeau
Let me guess. They passed their PCI audits with flying colors.

~~~
maxlybbert
I’m sure the only reason that only partial credit card numbers were stolen is
that PCI makes it very hard for Panera to store complete credit card numbers
(with expiration dates and the security code on the back).

~~~
lsaferite
> PCI makes it very hard for Panera to store complete credit card numbers
> (with expiration dates and the security code on the back)

How about impossible. Storing the CVV number is 100% not allowed. Even storing
complete cards numbers is only allowed under very specific conditions. Any
deviation opens them up to liability for related fraud.

~~~
CWuestefeld
_Even storing complete cards numbers is only allowed under very specific
conditions._

We encrypt these at the app, even before putting them into the DB, yada yada.
The PCI auditor actually made us restore the DB from backup onto another
server and show them the data, to prove that some magical process in the
backup program didn't cause them to come un-encrypted. They also wanted us to
change all corporate email addresses to random characters, ostensibly to
prevent spearfishing (we declined to take this suggestion). My point is that
they go to crazy lengths to ensure you're doing this stuff right.

~~~
lsaferite
I find PCI compliance annoying mostly due to individual auditor predilections.

~~~
CWuestefeld
I've heard that there's a fair amount of variability. Obviously at least part
of our audit team were lunatics.

------
tuna-piano
A- This is infuriating

B- How can a company have such a bad response? I think just about every big
company has put a huge emphasis on data security. But hey, companies are big
and technology is complex, so maybe data leaks still happen. But when they do,
how can you treat them with such a lack of care? And how can the director of
Security be alerted about this and not fix it? Seems potentially criminally
negligent?

c- The tweets from Brian Krebs are also infuriating (and hilarious)
[https://twitter.com/briankrebs](https://twitter.com/briankrebs)

Some highlights:

"Per my last tweet, Panera issued a statement to Fox News saying the breach
only impacted 10,000 customer accounts. Interesting that they had no numbers
for me, and yet had this 10k number all ready to go on the same day this was
"discovered," eight months after it was reported."

"Hey Panera, despite your statements to the contrary, you still haven't fixed
this customer info leak. Would you like to revisit the 10k number you just
gave to Fox news? [https://delivery.panerabread.com/foundation-
api/users/12345"](https://delivery.panerabread.com/foundation-
api/users/12345")

"you know what, let's go for 37M instead of 7M:
[https://delivery.panerabread.com/foundation-
api/users/12345"](https://delivery.panerabread.com/foundation-
api/users/12345")

"At the risk of making my job harder (or possibly, easier?) it's clear I'm
going to have to write an entire series of blog posts about how not to handle
a data breach from a PR perspective. I'm sputtering over here. Gave
@panerabread every courtesy and they treat me like an idiot"

"Hey @panerabread : before making half-baked statements to the press to
downplay the size of a breach, perhaps you should make sure the problem
doesn't extend to all other parts of your business, like
[http://catering.panerabread.com](http://catering.panerabread.com) , etc. Only
proper response is to deep six entire site"

~~~
andimm
Krebs doesn't have to write his own blog series on how to handle breaches
(although I might be interested in his version as well) Troy wrote a nice post
about it

[https://www.troyhunt.com/data-breach-disclosure-101-how-
to-s...](https://www.troyhunt.com/data-breach-disclosure-101-how-to-succeed-
after-youve-failed/)

------
danso
I love that the maintenance page has a button labeled "Order Online"
([https://delivery.panerabread.com](https://delivery.panerabread.com)), which
is the page/domain broken in the first place!

[https://imgur.com/a/4xess](https://imgur.com/a/4xess)

------
mxpxrocks10
Thread from earlier today:
[https://news.ycombinator.com/item?id=16737583](https://news.ycombinator.com/item?id=16737583)

------
kardashev
Aaron Swartz faced 35 years in prison for leaking JSTOR articles.

Instead of fines, the Chief Security Officer should be fully responsible and
face 35 years in jail if a breach happens.

You better believe they'll care about security then.

Many companies would also rethink whether they need to track and keep personal
information at all.

~~~
1690v
That is a terrible idea. Imagine sentencing programmers to jail for security
issues in their code.

~~~
toomuchtodo
Why is a software developer an engineer when it fluffs their ego, but not an
engineer when regulation and consequences for failures are necessary?

Yes, if the security failure is grossly negligent, you should face criminal
proceedings. As a C level executive, you are responsible for your chain of
command.

~~~
zpr
By that extension if a McDonald's drive thru employee accidentally spills hot
coffee on a customer, the CEO is responsible and should be charged with
assault?

~~~
toomuchtodo
Is that grossly negligent? No. Is keeping the coffee excessively hot for cost
reasons, thereby causing the customer to receive third degree burns on their
genitals and winning in court? Yes.

[https://en.m.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Rest...](https://en.m.wikipedia.org/wiki/Liebeck_v._McDonald%27s_Restaurants)

Your culture is set by your leadership. Make good choices.

~~~
zpr
I'm familiar with the case, that's why I mentioned it. My point was that
although they lost the civil suit, there weren't any criminal proceedings
against C-levels. I understand the argument of negligence being as guilty as
malicious intent but it creates a sweeping blanket that's hardly fair or
enforceable.

I agree with your principles in theory but it's just impractical.

~~~
toomuchtodo
The Department of Justice was able to dismantle Arther Anderson after their
fraudulent audits of Enron. Lots of things that are impractical are possible
with sufficient effort. And the government has unlimited resources for those
efforts.

You must hold systemic negligence and corruption accountable, or it
perpetuates the cycle.

~~~
kasey_junk
A) The DOJ had been looking at Anderson for years prior to Enron due to
irregularities with other major firms like Waste Management Inc. Enron was not
an isolated incident.

B) They were prosecuted for the very specific crime of obstruction of justice
after they were caught destroying evidence. It wasn't some backlash against a
nebulous problem.

C) Their conviction was overturned!

I'm not sure you could have picked a worse example for arguing your point.

------
username223
This is why you should lie as much as you can when dealing with for-profit
corporations, especially online. Any information you give them will eventually
be available to everyone, because they have no reason to care.

------
kerng
Wow, this story is amazing. Companiy got notified last August of a 0 day (no
authentication) to download all customer records, but no action taken for half
a year. Then a very bad PR stunt leading to even more exposure - one can't
make this stuff up... its April 3rd already, right?? Wondering why they
couldn't just really fix the problem? Would be interesting to learn more on
how they do engineering? Eg. was it all outsourced and someone else tries to
fix it now? This year is going to be good!

~~~
stef25
That's not what 0 day means.

~~~
kerng
It's exactly a 0 day. They were notified last August of a 0 day in their
website and 6 months later 6*31 days (31 for simplicity) later it was is still
was not fixed.

Here the definition:

[https://en.m.wikipedia.org/wiki/Zero-
day_attack](https://en.m.wikipedia.org/wiki/Zero-day_attack)

~~~
beart
I think your original statement was confusing because you put 'no
authentication' in parenthesis, implying that to be the definition of 0-day

------
mvkel
Cases like this are why I think the general public vastly overestimate the
capabilities of government surveillance. These same people work at NSA, CIA,
etc.

Not to insult the intelligence of these fine agency folk; my point is security
is only as strong as its weakest link. And whether public or private, people
can make some very weak choices.

------
JohnJamesRambo
Is there any hope companyies like the Y Combinator backed Request Network can
save us from this happening over and over?

A summary of their plan is at
[https://request.network](https://request.network).

What things would prevent them from implementing this? Seems like a great way
to stop losing credit card and identity info in breach after breach.

~~~
danso
Maybe in the future, but there are plenty of companies that ar around Panera's
size that had to get into the online-ordering space before SaaS was as big as
it is today. Thankfully, much smaller eateries now can use Yelp or Seamless to
deal with account management instead of rolling their own bespoke systems

------
SeriousM
It's not a breach when it's openly accessible. It's a leak and nothing else.

~~~
kerng
Not sure if you are trying to be sarcastic. As soon as someone downloads the
dataset its a breach. By design vulnerabilities are always the best.

------
justherefortart
When you rush shit out the door and don't support your development team, this
is sadly a common occurrence.

------
DrScump
And I was worried about the acrylamide.

~~~
corpMaverick
I didn't even know about acrylamide. Now I am worried.

------
hashkb
Their bagels are also pathetic and embarrassing.

------
dsacco
So here's a fun note - as it turns out, the Panera Bread Director of
Information Security mentioned in that email exchange worked at Equifax from
2009 to 2013. There's a comment mentioning it on that page, but you can find
it just by looking at his LinkedIn: [https://www.linkedin.com/in/mike-
gustavison-b020426/](https://www.linkedin.com/in/mike-gustavison-b020426/)

Time is a flat circle. Everything that has happened before will happen again.
Every time it happens, we will hear "Security is our top priority" or "We take
security very seriously."

EDIT: This just got more interesting. Turns out that despite taking the site
down for an hour earlier today, they didn't fix it:
[https://twitter.com/briankrebs/status/980944555423002630](https://twitter.com/briankrebs/status/980944555423002630)

Also, based on the vulnerability still working at this endpoint [1], Krebs
revised his estimated number to 37 million records:
[https://twitter.com/briankrebs/status/980949205974953984](https://twitter.com/briankrebs/status/980949205974953984)

________________________________

1\. [https://delivery.panerabread.com/foundation-
api/users/678141...](https://delivery.panerabread.com/foundation-
api/users/6781415)

~~~
portofcall
Don’t forget, “We’re sorry,” “We’ll do better,” and my personal favorite,
“Trust us!”

I’d prefer crippling fines.

~~~
tyingq
_" I’d prefer crippling fines"_

Probably won't happen until some Senator gets personally burned. Equifax
hasn't suffered much, for example, and they released almost all of their info
for every adult in the US that ever used a credit card or had a mortgage.

I'm almost wishing some activist hacker would buy the data for the House and
Senate reps and go to town...just to get their attention. Purchase pornhub
accounts , shady drug site stuff, escorts, etc, and start sharing it publicly.

~~~
komali2
My guess is that senators that have been burned have been done so secretly and
are being blackmailed.

The Equifax dump was apparently huge.

~~~
mschuster91
> My guess is that senators that have been burned have been done so secretly
> and are being blackmailed.

The whole bunch has been blackmailed for decades. Just not "ordinary"
blackmailing, but threatening by big funders to cut said funding unless, for
example, the politician keeps supporting NRA/BigAg/BigFinance-favorable
policies...

~~~
komali2
Hmm, I like this point, but is that blackmail or more just "the system?"

------
tytytytytytytyt
Maybe someone could go in to business and provide services that would help
companies prevent these things from happening?

~~~
efficacydivis
Security consultants and contractors already exist.

But why would Panera, Equifax, et al bother investing in better security when
they face no consequences for these incidents?

Markets can't solve everything

~~~
tytytytytytytyt
> Security consultants and contractors already exist.

Thanks for that protip.

------
changoplatanero
Years ago, I was assigned to clean up an office building that had recently
been vacated by a government cybersecurity contractor. While throwing away all
the trash that had been left behind I discovered a binder that had at least a
hundred pages of print outs from mapquest with the location of the panera
bread on each circled in pen.

~~~
delfb
That could’ve easily been a really boring office lunch option binder, though.
;)

~~~
changoplatanero
It was a hundred panera bread's from all over the East Coast. Something
suspicious was going on...

~~~
ribosometronome
Do you think it could have been some sort of investigation? Like they say,
criminals aren't born, they're bread.

~~~
mikeash
I can’t decide whether to flag this or upvote it. I guess I’ll settle for
replying.

~~~
arduanika
Come on, let's stay on topic. All I'm trying to figure out is, have I been
scwned?

