Welcome back to our Data Breach of the Month series, where we look at a notable cyber incident or data breach from the past month. Sometimes we’ll offer deeper analysis of the latest big breach, and other times we’ll focus on a lesser known incident that has outsized implications for the security industry.
In each case, you’ll learn the type of data breached, the vulnerabilities or gaps that were exploited, and what organizations can do to remediate effectively and address potential root causes.
So without further ado, our breach of the month for April, 2018 is… Panera Bread’s exposed customer account data, which was left vulnerable for eight months after the leak was first reported.
On April 2nd, Panera acknowledged that data belonging to their online customers had been exposed, and briefly took a portal offline to patch the issue. This was in response to security blogger Brian Krebs breaking the story. Krebs was tipped to the vulnerability by security researcher Dylan Houlihan, who had notified Panera of the exposed data eight months earlier.
When the story went public in April, Panera quickly announced that fewer than 10,000 customers were affected. However, Krebs and Houlihan argue that the real number could be between 7 and 37 million, because of related vulnerabilities throughout Panera’s online databases. In fact, according to Krebs, many of these records were still exposed when Panera announced the issue.
The exposed data includes names, usernames, emails, home addresses, phone numbers, birthdays, final four numbers of credit cards, and dietary preferences of users that have signed up for an account to order food online from Panera.
The database was exposed via a publicly available API endpoint. Customer account IDs were sequential numbers, making it easy for data thieves to gather records in bulk. Records could also be easily indexed and crawled using automated tools. After the initial vulnerability was patched, the same problem was found on other API endpoints, as well as an application used to connect with catering companies.
The most notable aspect of this incident was Panera’s reluctance to act. They waited eight months to take action to close the data leak, and even then, it was only after the pressure created by Krebs’ covering the story. So why do organizations fail to act, even when presented with good reasons to believe their security is compromised? In a blog post recounting his efforts to convince Panera their data was exposed, Houlihan argues that companies need to be more receptive of security reporting, and held accountable when they put PR ahead of remediation.
At D3, we think having the right tools in place can make the process of closing an outstanding vulnerability as easy as possible, resulting in faster action and less risk. From our perspective as incident response orchestration and case management software providers, here are a few features that could be particularly useful:
If you want to learn more about the features that help organizations react fast and conclusively to security incidents, check out our product guide. We’ll see you back here next month for a new Data Breach of the Month.