A security researcher has gone public to point out a data leak at the website Panerabread. He says his warnings were ignored.
It is unclear exactly how many could have been exposed, but the numbers reportedly range into the millions – in excess of 37 million by one estimate. Dylan Houlihan, a user of the Panerabread website, noticed a security flaw that could allow anyone to obtain the details of every user of their website. The information includes dates of birth, phone numbers, parts of customers credit card numbers, and addresses.
Houlihan contacted the website and warned them that their website is vulnerable. He even offered a proof of concept example of how their information could be seen by anyone. In response, the website owners said that the issue would be taken care of. Unfortunately, the issue was left alone and the flaw persisted. After waiting months for a resolution, Houlihan went public with the issue in the hopes of getting this resolved quicker.
Shortly after the story started making its rounds on various news websites, the owners finally took down the website to patch the vulnerability. Panerabread explained that they had, in fact, received the messages from Houlihan, but said that they thought it was either a scam or someone who was looking for a job. Houlihan called the response “half-baked”. From NPR:
“The data available in plain text from Panera’s site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com,” Krebs wrote, adding that the huge company has more than 2,100 stores.
Panera collects customers’ information online for everything from its awards and loyalty program to individual orders, delivery, and catering jobs.
Krebs and Houlihan are sharply criticizing Panera’s handling of the issue, saying the company does not take web security seriously enough — and that it wasn’t being honest when it said the breach was a) small and b) fixed. Both of the security experts said Panera wildly understated the problem when it told Fox Business Network on Monday night that “fewer than 10,000 consumers have been potentially affected” by the issue.
In contrast, Krebs wrote on his site that “incremental customer numbers indexed by the site suggest that number may be higher than seven million.” But Krebs later updated the figure to include the findings of other researchers who found the same vulnerabilities in Panera’s commercial division, stating, “the number of customer records exposed in this breach appears to exceed 37 million.”
The leak comes right on the heals of the Saks and Lord & Taylor data breach which had 5 million payment cards exposed and put up for sale on the dark web. As we noted, it seems that April is really starting off with a bang when it comes to leaks and breaches.