Panera Breads’ website leaked customer information including names, addresses, birthdays, and the last four digits of credit cards for almost eight months before being discovered. IT security experts commented below.
Chris Olson, CEO at The Media Trust:
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:
In the case of Panerabread.com, the site had an open API that anyone on the internet could query and did not require any type of authentication. This API discloses the following information about customers who have previously registered on the website: username, first and last name, email address, phone number, birthday, last four digits of the credit card number, home address, social account, user preferences and dietary restrictions. This information can be queried if you know the phone number of the customer, which one could easily obtain using a second API.
This second API can be queried using a customer ID number to retrieve the username chosen, email address, first and last name, loyalty card number, phone number, full birth date and other options like SMS preferences, corporate customer status, etc. This API was easier to mine because sequential numbers were used as customer IDs.”
Paul Bischoff, privacy advocate at Comparitech.com:
“The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place. Customers’ names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months. This was not a sophisticated breach by hackers. The unsecured database of millions of customers could easily be accessed via a web browser, and all the data was available in plain text, meaning thieves wouldn’t even have to both decrypting it.
This is a good example of why consumers need to be cautious about signing up for loyalty programs and similar promotional membership schemes. It’s very difficult or impossible to know whether a company takes your information security seriously and can competently handle it.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.