Panera Breads’ website leaked customer information including names, addresses, birthdays, and the last four digits of credit cards for almost eight months before being discovered. IT security experts commented below.
Chris Olson, CEO at The Media Trust:
“Website breaches have become an epidemic that hurts corporate reputation and brand identity . The Panera website leak is just another example that demonstrates the complexity of security in the digital age. Be it poorly configured databases or unmanaged vendors, enterprises have a responsibility to do a better job controlling their digital ecosystems, especially when it comes to protecting consumer data. The ensuing damage to a brand’s image is costly. In today’s changing regulatory environments, enterprises need to update their vendor risk management strategies to include the digital environment, with specific attention paid to identifying all parties executing in websites and mobile apps. For most enterprises, this knowledge is limited to the software and hardware they purchase or license for use. Identification and control of these external resources is critical to developing a comprehensive security strategy for digital assets.”
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:
“This kind of programming mistake is much more common than you would think. We highly advise website owners to perform penetration testing of their websites to identify these types of vulnerabilities as early as possible.
In the case of Panerabread.com, the site had an open API that anyone on the internet could query and did not require any type of authentication. This API discloses the following information about customers who have previously registered on the website: username, first and last name, email address, phone number, birthday, last four digits of the credit card number, home address, social account, user preferences and dietary restrictions. This information can be queried if you know the phone number of the customer, which one could easily obtain using a second API.
This second API can be queried using a customer ID number to retrieve the username chosen, email address, first and last name, loyalty card number, phone number, full birth date and other options like SMS preferences, corporate customer status, etc. This API was easier to mine because sequential numbers were used as customer IDs.”
Paul Bischoff, privacy advocate at Comparitech.com:
“The Panerabread.com leak is an inexcusable oversight that not only took far too long to fix, but should have never occurred in the first place. Customers’ names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards were accessible for eight months. This was not a sophisticated breach by hackers. The unsecured database of millions of customers could easily be accessed via a web browser, and all the data was available in plain text, meaning thieves wouldn’t even have to both decrypting it.
This is a good example of why consumers need to be cautious about signing up for loyalty programs and similar promotional membership schemes. It’s very difficult or impossible to know whether a company takes your information security seriously and can competently handle it.”