Panera Bread’s radical experiment in corporate transparency may have finally gone too far: The bakery chain admits that it accidentally posted the personal data of online customers on its website in plain, easy-to-steal text. The admission follows a report late yesterday by the blog KrebsOnSecurity claiming that Panera’s breach lasted for eight months and likely leaked “millions of customer records,” including “names, email and physical addresses, birthdays, and the last four digits of the customer’s credit card number.”
Brian Krebs, the journalist who runs that site, is sure about the lengthy duration because a security researcher showed him an email exchange dated August 2, 2017, in which the researcher (a guy named Dylan Houlihan) told Panera’s director of information security Mike Gustavison about the flaw. Krebs says Gustavison initially dismissed Houlihan’s report as a scam, but later realized that something was in fact afoot. On August 9, he emailed Houlihan back to say that Panera had begun “working on a resolution” after all.
But signs suggest that they never found one. As Krebs explained yesterday:
Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.
As far as they know, no full credit-card numbers were leaked, but Krebs and other experts say the breached data did include “unique identifiers” that made scraping all available customer accounts “simple.” Houlihan adds that the flaw definitely “never disappeared” during that eight-month period; he was double-checking “every month or so because I was pissed.”
Krebs initially put the number of affected customer records at around 7 million. He contacted Panera for comment, and has screenshots of the company’s website going offline, coincidentally, after their conversation. However, Panera then gave statements to other media (Reuters, Fox Business) saying that Krebs was wrong, that “fewer than 10,000 consumers” were actually affected, and that they’re about “to finalize our investigation.”
Krebs started digging around some more and learned that (1) Gustavison was formerly senior director of security operations at Equifax …
… and (2) his own original estimate of 7 million was probably a lowball figure — not even within five times of the actual number of affected customers. The breach appears to have extended into Panera’s commercial division, the part of the business that serves catering companies, and Krebs says that at last count, the number of compromised customer records appears “to exceed 37 million.”