Millions of Panera Bread customers info exposed in security flaw

According to Ars Technica, 37 million Panera Bread customer records have been exposed due to a security flaw that the company failed to fix until recently, despite having been made aware of the flaw eight months ago.

The restaurant chain claimed that under 10,000 customers privacy had been breached when they fixed the flaw early this week. But security researcher Brian Krebs argues that millions of records were “available online and that they remained available at publicly accessible URLs after Panera said the flaw was fixed.”

The information that was leaked online included customers’ loyalty card numbers, which Krebs wrote on his security website could “potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera [customers].” The information also included full names of customers, email addresses, phone numbers, birthdays, the last four numbers of credit cards, addresses, saved food preferences, and dietary restrictions.

According to security researcher Dylan Houlihan, who talked to Ars Technica, the flaw “let anyone search by a variety of customer attributes, including phone number, email address, physical address, or loyalty account number.”

Ars Technica reports that the “URLs appear to have finally been scrubbed of the customer information, as they now produce error messages instead of customer data.”

Panera was made aware of the data leak on August 2nd of last year in an email by Houlihan, who offered to call Panera to help inform the company of what was happening. As Ars Technica describes, “In response, Panera Information Security Director Mike Gustavison accused Houlihan of trying to scam the company.” In other words, Panera allowed the flaw to go unchecked for months, exposing user data, despite prior knowledge.

Although the flaw is now fixed, and user data is no longer up for grabs by anyone with a Wi-Fi connection, many feel Panera’s response to the entire situation was somewhat disappointing, especially in regards to downplaying the number of customers impacted.

Source: arstechnica.com – Panera accused security researched of “scam” when he reported a major flaw
Published: April 3, 2018