For companies operating in European Union, the General Data Protection Regulation (GDPR) (1) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (2).
I believe UnderArmor's case is the norm we can expect going forward.
I found his initial interaction with their head of IT Security (very first initial response) laughably appalling:
Dylan Houlihan <firstname.lastname@example.org>
to Mike, Geri Haight -
Hello Mike et al,
Thank you for making yourselves available. There is a security vulnerability on the delivery.panerabread.com website that
exposes sensitive information belonging to every customer who has signed up for an account to order Panera Bread online.
This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number.
Moreover, the customers are easily enumerable which means an attacker could crawl through all the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security),
I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Mike Gustavison <Mike.Gustavison@panerabread.com>
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is
a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off.
As a security professional you should be aware that any organization that has a security practice would never respond to
a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will
not be duped, demanded for restitution/bounty or listen to a sales pitch.
This kind of incompetence directly endangers the privacy and security of anyone who does business with Panera. And it's reminiscent of the kind of incompetence that characterized the Equifax breach and other recent high-profile hacks.
Maybe it's time that a subset of IT workers become professionally licensed and liable, like engineers.
Go to Mike's LinkedIn and he is the former "ISO - Sr. Director of Security Operations" for Equifax.
>Requiring a license would wind up making such qualified people more expensive to hire, and companies would ignore it and hire those without licenses to save money.
It would be just about impossible to enforce, naturally, and would be like firing the Senior Developers and hiring fresh graduates.
And we're talking about the director of security with 17 years of security experience here, (he also spoke at Akamai Edge 2015), not a common programmer or admin, I'd assume he already isn't too cheap to hire with those credentials? And that a company that size doesn't skimp on it's directors?
Then again they'll probably lose nothing over this leak and their response.
Being passive aggressive is even somewhat justifiable if they really get that much scamming but taking offense at someone asking for a PGP key isn't nor is ignoring Dylan's emails repeatedly for 6 days when he asked if his encrypted information came through.
Plus the whole "we are working on it" and then not doing anything for 8 months. Did he throw what Dylan sent him away? And then the fix that required you to login (with an ordinary customer account) to get all customers' data instead of exposing it to the internet. They also told fox only 10 000 customers were affected, treated Krebs like an idiot to the point that he went on a Twitter rant against them and he and others were posting links to other holes, web accessible admin login panels of various things, etc. and saying their website should be taken down (which it now is).
Dylan also angrily posted this after they said to the press they take security seriously: https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-s...
He also might have spoke at Akamai Edge 2015 as a security expert (some internal page comes up if you Google his name called 'speaker details' and in the URL the ID of the event leads to Akamai Edge 2015).
 - I've no idea if it's good for anything but according to Wikipedia DoD, NSA and ANSI approve of it and it makes the salaries of its holders higher.
Except for software engineers, ironically.
Infosec is an area where there is already a problem with credential collectors, and in many places it is just a dressed up audit/compliance function. It’s not a standalone vertical imo.
>'demanding a PGP key would not be a good way to start off'.
Please tell me this man will be fired.
Perhaps Mike knew that law and that's why he took Dylan's email as not genuine. Perhaps "yo fucka, I pwn'd your shit, tomorrow it's on the dark web if u no patch this link" would be the proper way to inform them of a leak.
Then again some people say it's good they didn't try to get Dylan arrested for "hacking".
It's gotten so they have to run a diff to see if there's anything new.
I agree it would be a stretch to make a claim but I'm not 100% sure it would be fruitless.
Coincidence? Strike two?
His first security gig was Senior IT Security Analyst at A. G. Edwards and Sons. His only work experience before that was Supervisor of Branch Installations.
This seems unbelievable, but that senior security position was his first IT experience.
I assumed for some time that installing backdoors is a good way to sell customer data you otherwise wouldn't be allowed to share.
Look at Facebook and how their API was surprisingly abused for years until they noticed it.
Mike Gustavison , Director of Info Sec , Panera Bread
How about impossible. Storing the CVV number is 100% not allowed. Even storing complete cards numbers is only allowed under very specific conditions. Any deviation opens them up to liability for related fraud.
We encrypt these at the app, even before putting them into the DB, yada yada. The PCI auditor actually made us restore the DB from backup onto another server and show them the data, to prove that some magical process in the backup program didn't cause them to come un-encrypted. They also wanted us to change all corporate email addresses to random characters, ostensibly to prevent spearfishing (we declined to take this suggestion). My point is that they go to crazy lengths to ensure you're doing this stuff right.
B- How can a company have such a bad response? I think just about every big company has put a huge emphasis on data security. But hey, companies are big and technology is complex, so maybe data leaks still happen. But when they do, how can you treat them with such a lack of care? And how can the director of Security be alerted about this and not fix it? Seems potentially criminally negligent?
c- The tweets from Brian Krebs are also infuriating (and hilarious) https://twitter.com/briankrebs
"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."
"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? https://delivery.panerabread.com/foundation-api/users/12345"
"you know what, let's go for 37M instead of 7M: https://delivery.panerabread.com/foundation-api/users/12345"
"At the risk of making my job harder (or possibly, easier?) it's clear I'm going to have to write an entire series of blog posts about how not to handle a data breach from a PR perspective. I'm sputtering over here. Gave @panerabread every courtesy and they treat me like an idiot"
"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like http://catering.panerabread.com , etc. Only proper response is to deep six entire site"
Sometimes life imitates art.
Between that and the fact most established businesses I've been in still treat IT like it's a necessary evil and waste of money, I'm not remotely surprised when stuff like this happens. My current company had a data breach, the IT Director swept it under the rug. I contacted my attorney for what I'm required to do to (to cover my ass). I emailed my managers and moved on down the road.
Instead of fines, the Chief Security Officer should be fully responsible and face 35 years in jail if a breach happens.
You better believe they'll care about security then.
Many companies would also rethink whether they need to track and keep personal information at all.
This security director handled Dylan's bug report badly and deserves the reputation hit he's getting. But if we're going to suggest liability (let alone criminal liability) for security flaws, we should at least have some idea of what it is we're regulating.
The final "stick" and reason for a C in the title is the responsibility to shut down the data (and website) until such a point it can be secured.
It's should be considered more of a fiduciary duty (protect shareholders, customers) to protect data as making the right investment or HR decisions.
It is very simple: with big $$ there should be a big risk.
It's a shame it ended the way it did, but please don't downplay what he did and use his name to push an agenda.
Is that true? It was an unlocked closet. The walls were covered in graffiti.
So, if your house has the door ajar, and the walls are "covered in graffiti" it's open for all?
And a house is different than a school. MIT has an open campus. MIT has a long history of celebrating students who transgress boundaries and go where it is unexpected. I don't have a history of celebrating people who enter my house uninvited.
> Swartz had connections to [MIT]: "He was a regular visitor to the MIT campus and interacted with MIT people and groups both on campus and off. … He was a member of MIT's Free Culture Group, a regular visitor at MIT's Student Information Processing Board (SIPB), and an active participant in the annual MIT International Puzzle Mystery Hunt Competition. Aaron Swartz's father, Robert Swartz, was (and is) a consultant at the MIT Media Lab. Aaron frequently visited his father there, and his two younger brothers had been Media Lab interns." 
If a good friend of mine sees my house has the door ajar, and the walls are "covered in graffiti" it would be perfectly reasonable for him to check inside.
Only when it's conservative enough and doesn't break the law too much. And not officially. In fact the very wikipedia link says:
"Although the practice is unsanctioned by the university, and students have sometimes been arraigned on trespassing charges for hacking, hacks have substantial significance to MIT's history and student culture".
>If a good friend of mine sees my house has the door ajar, and the walls are "covered in graffiti" it would be perfectly reasonable for him to check inside.
Not really. Especially if they know they're not welcomed if found inside, and they have no business there.
I don't see any reason to think they would be upset about him going in an unlocked closet. The previous quote mentions he was part of a puzzle hunt. If he was creating a part of that hunt and used that closet as a part of a puzzle I would think they would have been ok with it. The walls were covered with graffiti. How many years of prison were the students who drew the graffiti threatened with?
I think it would qualify for the UK equivalent.
Yes, if the security failure is grossly negligent, you should face criminal proceedings. As a C level executive, you are responsible for your chain of command.
The reality is that it is vanishingly rare for any engineer to face criminal charges for their professional actions. It doesn’t seem to me that software is held to much lower a standard.
Watching the SEC closely to see how many ICOs they prosecute. Also was helpful to see someone involved with their breech response who attempted to profit from non public material information prosecuted (although that’s tangential to the breach itself).
Someone relatively important is going to have to get burned before more software professionals are pursued for grossly negligent security failings.
It only happens in the most egregious of negligence cases as it is and even then convictions are rare.
I'm saying your impression that software engineering is protected is wrong, because no engineers (to any normal approximate) are brought up on criminal charges.
The title 'software engineer' without any notion of liability is an exercise in stroking ones ego.
Software engineers can be held liable in civil suits, as can other engineers even if there is no professional accreditation body for their industry.
It is less common in software than civil engineering for a few reasons, one of which is that customers literally have no problem signing away their liability. No one would sign a contract from a bridge designer that said “this might fall over in a stiff breeze” but that happens all the time with software.
And in the modern security context we're pushing deadlines just to race to the latest features with almost no regard for security in the process.
Something has to change. If this kind of negligence were causing similar problems in physical realms there would be regulations.
The tech companies behind these mistakes won't have that free roam forever. Every major screw-up is a step closer to regulations and everyone will cry about it when it happens... But so many companies today don't seem like they're ready to behave responsibly.
Your culture is set by your leadership. Make good choices.
I make coffee nearly every morning by boiling water in a tea kettle and pouring it over coffee grounds in a Melitta filter. If I poured or spilled it on my genitals, that would be bad. Doesn't make an approximately 200F temperature incorrect though.
 See the National Coffee Association on how to brew coffee at http://www.ncausa.org/About-Coffee/How-to-Brew-Coffee
I agree with your principles in theory but it's just impractical.
You must hold systemic negligence and corruption accountable, or it perpetuates the cycle.
B) They were prosecuted for the very specific crime of obstruction of justice after they were caught destroying evidence. It wasn't some backlash against a nebulous problem.
C) Their conviction was overturned!
I'm not sure you could have picked a worse example for arguing your point.
There seems to be an unlimited supply of people always popping up to "debunk" the "myths" about the Liebeck case who seem to deflect from the fact that it is normal for coffee to be brewed at near boiling temperatures that cause the sort of damage that was at issue. I could burn myself severely while draining pasta too, if I pour hot water all over my pants and don't remove them; it doesn't mean boiling water is too hot for cooking nor that say, a manufacturer of a non-defective pot is to blame.
Added reference due to downvoting:
"Your brewer should maintain a water temperature between 195 to 205 degrees Fahrenheit for optimal extraction."
the only crime was not fixing the problem and keeping it a secret AFTER IT HAD BEEN DISCOVERED. in this case, it wasn't the mistake that was the crime, it was the cover up.
But there isn’t an equally trained engineer dedicating his energy to taking down the bridge - it only has to not collapse under normal usage.
When a bridge is intentionally destroyed by enemy action, it’s engineer is not held liable.
To be fair, they have several hundred (if not thousands of) years of trial and error, documentation, etc. behind them to (try and) help people avoid the mistakes.
Computer Science has barely 70 years of half-arsed fumbling about.
They were eventually acquitted, but the very fact that they were even charged in the first place is ridiculous.
Jr. Developer - automatic pass. Low money
Sr. Developer - likely a pass, provided 'i' are dotted and 't's are crossed - decent money
Tech Lead - no pass unless tried very hard to get it resolved, big money
Exec - no pass, very big money
In Swartz case, prosecutor was trying to make example of him because his public University made/is making tons of money for providing information that should be free (or already is)
In this case, I would imagine they want peoples info to be leaked and exposed as much as possible, just to have a good reason to fine those for-profit private companies.
Edit: in other words - show me a priest who doesn't want you to sin, or a cop who doesn't want you to break the law, or a doctor who is not fine with people getting sick. Otherwise they would all be out of job.
Here the definition:
So their old 1990s site, worked fine. Upgrade to new whizbang bullshit and a steady stream of emails still can't get it to simply use a CSS print routine. Outsourcing is glorious!
Not to insult the intelligence of these fine agency folk; my point is security is only as strong as its weakest link. And whether public or private, people can make some very weak choices.
A summary of their plan is at https://request.network.
What things would prevent them from implementing this? Seems like a great way to stop losing credit card and identity info in breach after breach.
Time is a flat circle. Everything that has happened before will happen again. Every time it happens, we will hear "Security is our top priority" or "We take security very seriously."
EDIT: This just got more interesting. Turns out that despite taking the site down for an hour earlier today, they didn't fix it: https://twitter.com/briankrebs/status/980944555423002630
Also, based on the vulnerability still working at this endpoint , Krebs revised his estimated number to 37 million records: https://twitter.com/briankrebs/status/980949205974953984
So I was once told by cop when i told them defendant is lying not showing up that he has good reasons. Unless you are under oath by very few LE organizations, its not illegal to lie.
Of course I'm not saying its a good thing; just pointing out they can say whatever they want to - there is no liability.
I’d prefer crippling fines.
4 DOG DEFENSE
My Dog Does Not Bite.
My Dog Bites, But It Didn't Bite You.
My Dog Bit You. But It Didn't Hurt You.
My Dog Bit You And Hurt You, But It Wasn't My Fault
Probably won't happen until some Senator gets personally burned. Equifax hasn't suffered much, for example, and they released almost all of their info for every adult in the US that ever used a credit card or had a mortgage.
I'm almost wishing some activist hacker would buy the data for the House and Senate reps and go to town...just to get their attention. Purchase pornhub accounts , shady drug site stuff, escorts, etc, and start sharing it publicly.
The Equifax dump was apparently huge.
The whole bunch has been blackmailed for decades. Just not "ordinary" blackmailing, but threatening by big funders to cut said funding unless, for example, the politician keeps supporting NRA/BigAg/BigFinance-favorable policies...
But I so want to lose my mind, start getting these breach db's and start emailing Congresscritters with "This email was hacked, you're screwed, we're screwed, and here's legit links to help fix our lives back up... (eff.org) (hibp) etc"
And now I'm on the watch list for when someone crazier than me actually does this. Sigh.
"We take security very seriously ;)"
There’s no accountability and it’s about protecting everyone in that class at the expense of all other employees and consumers.
But why would Panera, Equifax, et al bother investing in better security when they face no consequences for these incidents?
Markets can't solve everything
Thanks for that protip.
They don't care that your information got leaked, that doesn't enter into the calculation (unless it costs them money, which it doesn't).
Op I don't mean to disparage you, but this is the internet, and there just aren't enough grains of salt in the world to allow me to swallow a tale like that without speaking up.
I'm pretty sure the intersection of time between Panera's spread to the east coast and map quest's prevalence don't line up