Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed

from the trust-no-one dept

Another day, another security breach. Another day, another security breach handled badly by the company leaking data. Another day, another security researcher being treated like garbage for attempting to report it. Etc. Etc.

The victim perpetrator here is Panera Bread. Researcher Dylan Houlihan informed Panera Bread its online ordering service was leaking data. This notification happened months ago.

In August 2017, I reported a vulnerability to Panera Bread that allowed the full name, home address, email address, food/dietary preferences, username, phone number, birthday and last four digits of a saved credit card to be accessed in bulk for any user that had ever signed up for an account. This includes my own personal data! Despite an explicit acknowledgement of the issue and a promise to fix it, Panera Bread sat on the vulnerability and, as far as I can tell, did nothing about it for eight months.

Houlihan emailed Mike Gustavision — then Panera’s head of security — about the vulnerability. Like many other discovered data leaks, all a user had to do was alter digits in company’s online ordering site to view other people’s personal information. Users did not even need a Panera account to do this.

Houlihan’s notification attempt was greeted with derision by Panera’s security head. [Click for a larger version.]


My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off. As a security professional you should be aware that any organization that has a security practice would never respond to a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will not be duped, demanded for restitution/bounty or listen to a sales pitch.

Eventually, Gustavision provided a PGP key and allowed Houlihan to send him info on the site’s vulnerability. But, as Houlihan points out, this is no way to treat someone reporting a possible breach. Not only was the immediate response needlessly combative, the company’s response to the notification was to do nothing until it was publicized by other security researchers.

This was contrary to Gustavision’s statements to Houlihan, which claimed Panera’s security team was “working on a response.” That was the claim last August. Houlihan continued to check the site since his own information was included in what was exposed and nothing changed until April of this year, eight months after being notified.

Somehow, Panera was magically on top of the situation when it went mainstream. After Brian Krebs spoke to the company’s CIO about the breach, Panera briefly took its site offline for maintenance. It then declared it had fixed the hole within two hours of notification, glossing over the fact it had been notified eight months earlier and done nothing. It also downplayed the problem as only affecting a small portion of Panera customers.

Almost minutes after this story was published, Panera gave a statement to Fox News (no link will be provided) downplaying the severity of this breach, stating that only 10,000 customer records were exposed.

In essence, it lied to press outlets seeking comment. Security researchers noted the problem hadn’t even been completely fixed yet.

Almost in an instant, multiple sources — especially @holdsecurity — pointed out that Panera had basically “fixed” the problem by requiring people to log in to a valid user account at in order to view the exposed customer records (as opposed to letting just anyone with the right link access the records).

And it was far, far bigger than Panera publicly claimed. Krebs initially estimated the exposed records at 7 million. Additional research by Krebs showed multiple divisions of Panera were affected by the same vulnerability (like its online catering service). After examining APIs used by Panera’s online services, Krebs estimates close to 37 million records have been exposed.

What will Panera learn from this? Whatever it does learn won’t spread to other companies, that’s for certain. Breach after breach has shown us companies are willing to shoot the messenger, cover up the damage, ignore repeated notifications, and obfuscate when breaches are finally exposed. Panera didn’t handle breach notification worse than other companies have. It just did as little as possible until forced to confront the problem. This mindset is shared by far too many entities. They love scooping up personal data, but not the security responsibility that comes with it.

Filed Under: , ,
Companies: panera

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Company Blows Off Breach Notification For Months, Lies About Affected Customers When It's Exposed”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

"I don't get it, why didn't anyone tell us beforehand...?"

And yet another perfect example of why it’s useless to contact a company with security flaws, rather than just ignoring it or, if you want to force the issue, anonymously making it public and forcing them to scramble to fix it.

The one upside to this is that while they brushed him off initially, and then ignored him after that, at least they didn’t try to sue him to shut him up as others have done. The fact that this is an unexpected positive however shows just how risky security researchers and those that try to help out have it, and how utterly insane so many companies can be when it comes to dealing with security.

Joel Coehoorn says:


I get so many sales pitches at my work address, I don’t blame that guy for that first response at all. If a sales guy could get through just by claiming to report a vulnerability, you can bet lots of sales folks would do that. He explicitly says, “I am will to discuss…”. We should really be looking at how that next conversation went, rather than this one.

Anonymous Coward says:

It’s in the employee’s interest to ignore notifications like this. If he does his job and brings it up to higher management, he’s liable to get thrown out of the company. They’ll investigate him, find something or invent something, and end the issue like that while sending a message to others.

How do I know this? Happened to me. Career poof!

I.T. Guy says:

Re: Re:

I’d rather get fired doing the right thing and slip off into obscurity than have my name associated with a major breach.

Not just a breach but ignoring a breach then handling it badly.

Mike Gustavision better just wipe his tenure at Panaera Bread from his Resume and hope nobody remembers his name. I wouldn’t hire this guy to image machines.

Anonymous Coward says:

Re: Re: Re:

That was one of the reasons I gave for why I brought it up to them. I would not allow my name to be attached to a worldwide scale data breach.

However, that said, his best moves are to either ignore it or quit immediately. By responding so poorly, his professional name is forfeit. If he ignored it instead, he could say that he didn’t receive the notification because it was thought to be spam. If he brought it to higher management, he would become the problem.

Losing your job for doing the right thing is no joke. It has been a life altering event for me. I see the world completely differently. I’ve thrown away religion. I lost nearly all of my friends. When I called for a reference from one of my closest colleagues, HR responded with a threat of harassment. I can say with full confidence that it is not worth it, just leave immediately and do not look back.

Anonymous Coward says:

Oh Woe Is Us!

“If only we had known then we’ve patched it!” They cry playing oblivious to the fact that in the same breath also shot the messenger who tried to warn them.

Seriously, these companies bully and intimidate security researchers who when they find an exploit do the right thing and try to tell said company so it can be fixed and how are they rewarded? Being ignored at best, lawsuits and jailtime at worst and these companies have the gall to ask why no one tried to warn them!

“If you can’t secure it, don’t keep it.” – Brian Krebs

That One Guy (profile) says:

Re: "It wasn't a problem until you told us about it."

Short-term it does make a twisted sort of sense, in the managerial ‘If I don’t know about the problem it’s not a problem’ way. Before being told about the problem the problem didn’t exist, it’s only after being told that now they have to deal with it, therefore the cause of the problem is not the vulnerability, it’s the person who reported it.

Long-term of course that kind of thinking and acting all but ensures that those that aren’t looking to exploit vulnerabilities will keep their mouths shut, such that the first time a company learns about a flaw is when it’s used against them, but that’s something for someone else to deal with, or even them but not now.

Anonymous Coward says:

Panera wont learn a thing, wont do a thing except lie further to (try) to cover it’s own ass and continue to blame the very person/people who tried to help it by warning of the problem. none of this would have come about had it not been for the USA govt and law enforcement being allowed to get away with blaming everyone else, every time a whistle blower exposed their wrong doings! and lets face it, there’s nothing more sacred than saving something that the govt and police want hidden!!

That Anonymous Coward (profile) says:

Until the cost of inaction > the cost of the PR spin, this will continue.

Imagine a law that allowed multipliers for the number of times they blew off people reporting the issue.
Imagine a multiplier for lying about number affected.
Imagine a multiplier blaming “hackers” to cover your own ineptness.

The public response to these things is getting muted because we literally expect some site to be leaking our shit every 3 days.

Remember when they would change the color of the rainbow alert system every 4 hours based on ‘chatter’ that they could never explain lest the ninja terrorists figure out we were spying on them???

These little shits screamed wolf enough that we stopped paying attention & we fret about the body parts around town, rather than hire a better wolf spotter & beating the ass of any kid who lies about a wolf.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...