Say it isn’t so, Panera! Unfortunately, it is. While I am a huge fan of Panera from the perspective that their food is incredibly tasty and impressively healthy, I am not a fan of this latest data security concern. Security researcher, Dylan Houlihan, and KrebsOnSecurity, have discovered that Panera has left millions of customers exposed through their website. When I say millions, it’s estimated to be about 37 million at this point. The information is being exposed by way of customer sign-up records and includes email addresses, home addresses, phone numbers and loyalty account information. This isn’t good.
Let me take a step back on that last sentence. There is potential for this to not be good. But thankfully it was discovered before anything nefarious happened. Which means, it’s not the end of the world, but a lesson that a lot of organizations seem to have to learn the hard way. I mean, think about how many organizations have this kind of information just laying around on their website? While this wasn’t a huge data breach, it certainly could have been.
What bothers me about this is that Panera Bread doesn’t seem to be too responsive to the problem. How can you not care about this? You had a plain text file on your website with the names, and contact information of anyone who’s signed up for your card. Which equates to 37 million people potentially being exposed to hackers. There is so much personal data out there now, why add to it? And if you do find out about this, be responsive. That’s all we’re asking. Well, that and to attempt to prevent it in the first place.
Houlihan notified the company about the problem back in August of 2017 and got a response saying that they were working on a resolution. But they didn’t take the file down until KrebsOnSecurity got involved. Not once, but twice. In a follow-up statement, Panera Bread said that it was still investigating the vulnerability, but indicated that there was “no evidence” of either payment information or anyone accessing a large number of the accounts. Maybe not, but that’s not a reason to continue this crummy business practice.
The good news is that you’re probably not at risk of having your data exposed. But, like I’ve been saying all along, this is a recurring problem with internet security in general. There are a ton of companies out there who have failed to encrypt their data or even adhere to basic security policies. How is this happening in 2018? Sure, locking down information isn’t necessarily THE answer, but it’s a start. This is basic security 101, isn’t it? The solution isn’t that difficult, but something that they didn’t even think was an issue. Panera Bread makes some incredible food, in my opinion. They definitely need to stick to that and let someone else handle their security concerns.