SUNSET HILLS, Mo. -- It was in August 2017 that security researcher Dylan Houlihan notified restaurant chain Panera Bread Co. that its website was leaking detailed customer information. The leaked information included any Panera account holder’s full name, home and email addresses, food and dietary preferences, username, phone number, birth date and the last four digits of a saved credit card, according to Houlihan’s post on Medium.
It took Panera eight months to act on the report, creating a firestorm of concern from customers. (See Tweets below.)
During that time, not only was the personal data of Panera’s customers available during the breach, but according to Houlihan, it was also easy to access. “You don’t need to target any specific user or interact with them whatsoever to collect this information. You don’t even need to be logged in,” he wrote on April 2.
Houlihan notified Panera’s information security director of the leak on Aug. 2, 2017. Panera continued to leak information, despite responding to Houlihan that the problem would be resolved, according to reports. Then, also on April 2, Brian Krebs of online security news source KrebsOnSecurity.com reached out to Panera with the intent to publish the details of the data leak. Around the time Krebs’ story was published, Panera briefly took its website offline to resolve the issue.
As other news outlets began to report the incident, Panera released a statement regarding the breach. “Panera takes data security very seriously, and this issue is resolved,” the company said April 2.
But the issue was not resolved. Later that same day, after Panera’s website went back online, Krebs took to Twitter.
Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? https://t.co/AJeiq6Dfd0— briankrebs (@briankrebs) April 2, 2018
Additionally, Panera released a statement to Fox News claiming that about 10,000 customer accounts were affected by the breach. Krebs took issue with that number, claiming at first that more than 7 million accounts may have been compromised. But after more digging, Krebs adjusted that number to closer to 37 million, according to his website.
Panera’s website is back online now, and the issue appears to have been resolved—actually resolved.
To recap, Panera was notified eight months ago that its website was leaving personal customer data open for essentially anyone to steal. Aside from an email assuring Houlihan that the problem would be addressed, Panera appears to have done nothing to plug the leak, according to reports, until eight months later, when Krebs notified the chain that he was going to publish a story about the breach of data.
Similar to last year’s Equifax breach, this incident is filled with lessons for retailers on how not to handle a data breach.
What could the company had done instead?
Well, most important, Panera should have resolved the issue when Houlihan brought the issue to the chain’s attention in the first place. It then should have researched the extent of the leak and notified its customers in a timely manner. Instead, the chain did not make any public moves to fix the leak or communicate the issue to customers until Krebs was about to publish the details of Panera’s oversight, according to reports.
No brand wants to admit that it has compromised private consumer data, but those that do so must face a choice: either communicate the issue to customers as soon as possible or wait until someone notices and makes their discovery public. If Panera had properly resolved and communicated the issue to customers eight months ago, it would have had more control over the story and its image.