It has been discovered that Panera Bread left the information of up to 37 million customers who signed up for delivery and other services including “names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number” in plain text format accessible via its web site.IT security experts commented below.
Tim Erlin, VP, Product Management and Strategy at Tripwire:
Organizations that collect, store and transmit customer data need to have plans in place to deal with reported vulnerabilities. The time to plan is before an incident occurs, not during.
Every publicly disclosed incident is an opportunity for unaffected organizations to consider how they would respond. Don’t just criticize the response; use the incident as a model for how your own organization might respond, and take steps to improve before it’s your name in the headline.”
Anthony James, Chief Marketing Officer at CipherCloud:
Lisa Baergen, Director at NuData Security:
“The most proven and effective solutions for protecting customer are readily available and increasingly widely implemented: multi-layered security solutions that incorporate verification via passive biometrics, without adding friction, by evaluating a consumer’s inherent behaviour online during the transaction process. This field-proven approach lets the company confirm that a consumer is legitimate or a would-be fraudster before loss to the company can occur, even if the correct data – perhaps stolen – was used. And it also prevents the company’s reliance on the sort of personally identifiable customer data that’s once again been leaked. Ultimately, the shift to more advanced multi-layered solutions will, over time, render stolen information valueless to cybercriminals, as passive biometric verification defies use by third parties.”
Travis Smith, Principal Security Researcher at Tripwire:
“A company can spend millions on the latest and greatest security technologies and have the most impenetrable defenses known to man. But when you leave the front door open, none of that will matter.
“Unfortunately, the general public has breach fatigue. It seems like every day there’s another story about a different hack and a different breach of privacy. The reality is that most people will be outraged about this today, but next week they won’t even remember that it happened. Even if there was some sort of litigation, those who were affected can really only count on adding another year of free credit monitoring.
“While this is personally identifiable information, the sad fact is that the only real new piece of information attackers have now is that you like sandwiches. They can correlate that with your healthcare records, credit score, and social media profile to get a more accurate picture of who the real you is.”
Terry Ray, CTO at Imperva:
“Was personal and credit card data exposed to the internet? Was any of it taken? How much data was stolen? Where did it go? When was it taken?
“Law enforcement will need to find proof that data was stolen before levying fines or requiring identity theft protection for consumers, but past situations have shown that the FTC doesn’t have to find every record on the web, they just have to find some, then it’s up to the victim company to prove how many records were taken. Also, I expect PCI regulators will question any PCI audits done since August looking for passes on application security, code review and code correction.
“Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found.
“It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April. They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted.”
Willy Leichter, Vice President of Marketing at Virsec:
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.