It has been discovered that Panera Bread left the information of up to 37 million customers who signed up for delivery and other services including “names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number” in plain text format accessible via its web site.IT security experts commented below.
Tim Erlin, VP, Product Management and Strategy at Tripwire:
“Security is often as much about response as prevention, and that includes how organizations respond to incidents and breaches. The market isn’t particularly forgiving when it comes to public incident response.
Organizations that collect, store and transmit customer data need to have plans in place to deal with reported vulnerabilities. The time to plan is before an incident occurs, not during.
Every publicly disclosed incident is an opportunity for unaffected organizations to consider how they would respond. Don’t just criticize the response; use the incident as a model for how your own organization might respond, and take steps to improve before it’s your name in the headline.”
Anthony James, Chief Marketing Officer at CipherCloud:
“MIllions of Panera Bread customer records potentially leaked, and most amazing, this went on for at least eight months according to KrebsOnSecurity. This breach is not unusual, and mirrors many recent headlines where mis-configurations occur, procedures may be missed, default passwords may still get used, ports will remain open to the internet, and, in this case, serious issues will somehow not be tracked and resolved. On a larger scale, can you even imagine that the thousands of alerts pouring into the average security operations center on their SIEM display are properly vetted every day? The moral of the story? Mistakes will be made and eventually they will become disastrous unless they are corrected or the data is protected along its entire lifecycle. What can others do to ensure that don’t become tomorrow’s headline? Add the necessary security layers to build Zero Trust into the systems automatically – meaning whatever data is being stored/used, expect it will be compromised. Anticipate that people will make mistakes and build out your cyber defense and your security policies to protect from a breach – your overall security will be stronger for it.”
Lisa Baergen, Director at NuData Security:
“The company names change but the stories remain the same: Customers have had their information leaked because of the poor security procedures of companies transacting online, who continue to rely solely on plain text identifiers and static data such as credit card numbers, passwords and even simple customer names and phone numbers.
“The most proven and effective solutions for protecting customer are readily available and increasingly widely implemented: multi-layered security solutions that incorporate verification via passive biometrics, without adding friction, by evaluating a consumer’s inherent behaviour online during the transaction process. This field-proven approach lets the company confirm that a consumer is legitimate or a would-be fraudster before loss to the company can occur, even if the correct data – perhaps stolen – was used. And it also prevents the company’s reliance on the sort of personally identifiable customer data that’s once again been leaked. Ultimately, the shift to more advanced multi-layered solutions will, over time, render stolen information valueless to cybercriminals, as passive biometric verification defies use by third parties.”
Travis Smith, Principal Security Researcher at Tripwire:
“A company can spend millions on the latest and greatest security technologies and have the most impenetrable defenses known to man. But when you leave the front door open, none of that will matter.
“Unfortunately, the general public has breach fatigue. It seems like every day there’s another story about a different hack and a different breach of privacy. The reality is that most people will be outraged about this today, but next week they won’t even remember that it happened. Even if there was some sort of litigation, those who were affected can really only count on adding another year of free credit monitoring.
“While this is personally identifiable information, the sad fact is that the only real new piece of information attackers have now is that you like sandwiches. They can correlate that with your healthcare records, credit score, and social media profile to get a more accurate picture of who the real you is.”
Terry Ray, CTO at Imperva:
“It’s never a good day for companies when there is a proven data breach or data made available long-term, as the Federal Trade Commission can easily get involved and ask simple questions to which you don’t have complete answers.
“Was personal and credit card data exposed to the internet? Was any of it taken? How much data was stolen? Where did it go? When was it taken?
“Law enforcement will need to find proof that data was stolen before levying fines or requiring identity theft protection for consumers, but past situations have shown that the FTC doesn’t have to find every record on the web, they just have to find some, then it’s up to the victim company to prove how many records were taken. Also, I expect PCI regulators will question any PCI audits done since August looking for passes on application security, code review and code correction.
“Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found.
“It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April. They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted.”
Willy Leichter, Vice President of Marketing at Virsec:
“As Yogi Berra said, “this feels like déjà vu all over again.” Once again we see a large organization not taking security seriously enough, not reacting immediately when notified of a possible leak, and not promptly notifying customers that there data was exposed. Ongoing events like this will only heighten calls for a national standard on breach notification laws.”