Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - News & Analysis - Panera Bread Website Leaks
News & Analysis

Panera Bread Website Leaks

ISBuzz TeamBy ISBuzz TeamApril 3, 2018Updated:July 4, 20246 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

It has been discovered that Panera Bread left the information of up to 37 million customers who signed up for delivery and other services including “names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number” in plain text format accessible via its web site.IT security experts commented below.

Tim Erlin, VP, Product Management and Strategy at Tripwire:

“Security is often as much about response as prevention, and that includes how organizations respond to incidents and breaches. The market isn’t particularly forgiving when it comes to public incident response.

Organizations that collect, store and transmit customer data need to have plans in place to deal with reported vulnerabilities. The time to plan is before an incident occurs, not during.

Every publicly disclosed incident is an opportunity for unaffected organizations to consider how they would respond. Don’t just criticize the response; use the incident as a model for how your own organization might respond, and take steps to improve before it’s your name in the headline.”

Anthony James, Chief Marketing Officer at CipherCloud:

“MIllions of Panera Bread customer records potentially leaked, and most amazing, this went on for at least eight months according to KrebsOnSecurity. This breach is not unusual, and mirrors many recent headlines where mis-configurations occur, procedures may be missed, default passwords may still get used, ports will remain open to the internet, and, in this case, serious issues will somehow not be tracked and resolved. On a larger scale, can you even imagine that the thousands of alerts pouring into the average security operations center on their SIEM display are properly vetted every day? The moral of the story? Mistakes will be made and eventually they will become disastrous unless they are corrected or the data is protected along its entire lifecycle. What can others do to ensure that don’t become tomorrow’s headline? Add the necessary security layers to build Zero Trust into the systems automatically – meaning whatever data is being stored/used, expect it will be compromised. Anticipate that people will make mistakes and build out your cyber defense and your security policies to protect from a breach – your overall security will be stronger for it.”

Lisa Baergen, Director at NuData Security:

“The company names change but the stories remain the same:  Customers have had their information leaked because of the poor security procedures of companies transacting online, who continue to rely solely on plain text identifiers and static data such as credit card numbers, passwords and even simple customer names and phone numbers.

“The most proven and effective solutions for protecting customer are readily available and increasingly widely implemented:  multi-layered security solutions that incorporate verification via passive biometrics, without adding friction, by evaluating a consumer’s inherent behaviour online during the transaction process.  This field-proven approach lets the company confirm that a consumer is legitimate or a would-be fraudster before loss to the company can occur, even if the correct data – perhaps stolen – was used.  And it also prevents the company’s reliance on the sort of personally identifiable customer data that’s once again been leaked.  Ultimately, the shift to more advanced multi-layered solutions will, over time, render stolen information valueless to cybercriminals, as passive biometric verification defies use by third parties.”

Travis Smith, Principal Security Researcher at Tripwire:

“A company can spend millions on the latest and greatest security technologies and have the most impenetrable defenses known to man. But when you leave the front door open, none of that will matter.

“Unfortunately, the general public has breach fatigue. It seems like every day there’s another story about a different hack and a different breach of privacy. The reality is that most people will be outraged about this today, but next week they won’t even remember that it happened. Even if there was some sort of litigation, those who were affected can really only count on adding another year of free credit monitoring.

“While this is personally identifiable information, the sad fact is that the only real new piece of information attackers have now is that you like sandwiches. They can correlate that with your healthcare records, credit score, and social media profile to get a more accurate picture of who the real you is.”

Terry Ray, CTO at Imperva:

“It’s never a good day for companies when there is a proven data breach or data made available long-term, as the Federal Trade Commission can easily get involved and ask simple questions to which you don’t have complete answers.

“Was personal and credit card data exposed to the internet? Was any of it taken? How much data was stolen? Where did it go?  When was it taken?

“Law enforcement will need to find proof that data was stolen before levying fines or requiring identity theft protection for consumers, but past situations have shown that the FTC doesn’t have to find every record on the web, they just have to find some, then it’s up to the victim company to prove how many records were taken.  Also, I expect PCI regulators will question any PCI audits done since August looking for passes on application security, code review and code correction.

“Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found.

“It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April.  They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted.”

Willy Leichter, Vice President of Marketing at Virsec:

“As Yogi Berra said, “this feels like déjà vu all over again.” Once again we see a large organization not taking security seriously enough, not reacting immediately when notified of a possible leak, and not promptly notifying customers that there data was exposed. Ongoing events like this will only heighten calls for a national standard on breach notification laws.”

ISBuzz Team
  • ISBuzz Team
    Air Canada Data Breach: BianLian Extortion Group Claims A Massive Heist Contrary To Airline’s Earlier Statement
  • ISBuzz Team
    Unprecedented DDoS Attack Rocks The Web: Tech Giants Reveal A Digital Tsunami
  • ISBuzz Team
    CISA Flags High-Severity Adobe Acrobat Reader Flaw Amid Active Exploits
  • ISBuzz Team
    Curl Security Alert: Patching A Critical Bug Averting Potential Cyber Catastrophe

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

AppSec is dead, long live AI security

April 29, 20265 Mins Read

Managing App Access on Frontline Devices in an Always-On World

March 9, 20264 Mins Read

OWASP Top 10 2025: New Enemies, Old Foes, and an Approach to Vulnerability Remediation That Must Evolve

January 22, 20265 Mins Read
ISB-Bora-Side-Bar

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}