Even your damn bread bowl is now a security risk.
Panera Bread left the information of up to 37 million customers who signed up for delivery and other services including “names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number” in plain text format accessible via its web site, per a report on Monday from KrebsOnSecurity. Brian Krebs, a well-respected security writer, wrote that researcher Dylan Houlihan identified and notified the fast-casual bakery chain about the vulnerability as long ago as August 2nd, 2017. It looks an awful lot like Panera never did anything about it until Monday—meaning anyone could have wandered by and decided to grab the data for eight months.
Houlihan provided Krebs emails showing Panera information security director Mike Gustavison had acknowledged the vulnerability in August 2017. But Krebs added it wasn’t until Monday that they took any action on what was initially believed to be seven million exposed records:
Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.
For example, some of the customer records include unique identifiers that increment by one for each new record, making it potentially simple for someone to scrape all available customer accounts. The format of the database also lets anyone search for customers via a variety of data points, including by phone number.
Panera apparently downplayed the breach in a statement to Fox News and other outlets, saying less than 10,000 customers were known to be affected. Yet Krebs wrote that Panera’s supposed “fix” still left other parts of the site unprotected, including its catering application, and that “At last count, the number of customer records exposed in this breach appears to exceed 37 million.”
It’s not clear whether anyone actually accessed the records in question during the time they were exposed.
As time went on, it became clear that there were numerous other obvious problems with the Panera site’s security like exposed administrative logins.
The Panera site is offline as of Monday evening, and failed to load so much as 404 page.
The kicker? Gustavison appears to have previously worked as a senior director for security operations at Equifax, according to his LinkedIn, though his tenure at Equifax appears to predate by years the known scope of the breach of nearly 148 million Americans’ data there.
“Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved,” Panera’s chief information officer, John Meister, told Reuters.
Gizmodo reached out to Panera for comment, and we’ll update this post if we hear back.
[KrebsOnSecurity and Dylan Houlian via CNET]