Panera Bread Hack

Panera Bread Hack | Tier3MD | Panera Security Team
By now, you probably heard that there was a Panera Bread hack.  This hits close to home, as I have spent many weekends in Panera Bread building my business.  One of our Tier3MD partners, ID Agent published information on the hack.

Panera Bread Hack

Date Occurred: Vulnerability discovered August 2017

Date Disclosed: April 3, 2018

Data Compromised: Names, emails, physical addresses, birthdays and the last four digits of the customer’s credit card number. There is no evidence of payment card information nor many records being accessed or retrieved.

How it was Compromised : Data Exploit/Website Vulnerability. Panera Bread on Monday said it has resolved the security flaw on its website that exposed the data. 

Customers Impacted: Panera’s CIO has suggested fewer than 10,000 consumers have been potentially affected by this issue. Other reports suggest up to 37 million accounts may have been exposed.

Attribution/Vulnerability: Website vulnerability not disclosed.

Business Risk: Moderate (POS/Website Patch)

What you need to know:  Put this in the categories of “What was What?” AND “Crisis Communications Stupidity”.

On one hand, you can sympathize with the Panera CIO and his assuming he was being scammed by the security researcher who first reported the exploit back in August 2017. On the other hand, Panera’s security team did engage the researcher via encrypted communications, said they were working on a resolution but appeared to have done nothing about the reported exploit on delivery.panerabread.com.

Here’s why this is bad news for Panera:

  • Data was leaked for 8 months (full string/ clear text).
  • It took Panera Bread 8 months to implement a patch that took 1 hour to deploy! 
  • Panera is using the now industry standard phrase “no evidence of intrusion” to potentially skirt breach laws and liability.
  • Panera’s “crisis communications” team made a mistake. Panera security says no evidence of data leak while it’s communications team said it was contained to 10k people. Now the company has a PR nightmare on its hands!

This just proves that everyone in the digital world is vulnerable to a hack.  It’s getting harder and harder to stay safe online.  The best protection is education.  Be smart online!