Commenting only on the speed of response (or the glacial interpretation of it in Panera's case):
For companies operating in European Union, the General Data Protection Regulation (GDPR) (1) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (2).
I believe UnderArmor's case is the norm we can expect going forward.
I found his initial interaction with their head of IT Security (very first initial response) laughably appalling:
Dylan Houlihan <[email protected]>
to Mike, Geri Haight -
Hello Mike et al,
Thank you for making yourselves available. There is a security vulnerability on the delivery.panerabread.com website that
exposes sensitive information belonging to every customer who has signed up for an account to order Panera Bread online.
This shows the customer's full name, email address, phone number and the last four digits of their saved credit card number.
Moreover, the customers are easily enumerable which means an attacker could crawl through all the records.
I can provide the specific details of the vulnerability over email once you respond, but if you prefer (for more security),
I can also encrypt the information with a PGP key you provide me. Alternatively we can hop on a phone call.
Best regards,
Dylan Houlihan
And their response:
Mike Gustavison <[email protected]>
to dylan
Dylan,
My team received your emails however it was very suspicious and appeared scam in nature therefore was ignored. If this is
a sales tactic I would highly recommend a better approach as demanding a PGP key would not be a good way to start off.
As a security professional you should be aware that any organization that has a security practice would never respond to
a request like the one you sent. I am willing to discuss whatever vulnerabilities you believe you have found but I will
not be duped, demanded for restitution/bounty or listen to a sales pitch.
Regards,
Mike
This kind of incompetence directly endangers the privacy and security of anyone who does business with Panera. And it's reminiscent of the kind of incompetence that characterized the Equifax breach and other recent high-profile hacks.
Maybe it's time that a subset of IT workers become professionally licensed and liable, like engineers.
I've developed a joke law that says that the amount of genuine information in a statement is inversely proportional to how polite and wordy it is. I.e. the "we take security seriously" PR fluffs.
Perhaps Mike knew that law and that's why he took Dylan's email as not genuine. Perhaps "yo fucka, I pwn'd your shit, tomorrow it's on the dark web if u no patch this link" would be the proper way to inform them of a leak.
Then again some people say it's good they didn't try to get Dylan arrested for "hacking".
And he joined Equifax after jumping ship from A. G. Edwards in 2008, presumably because the company was accused of fraud in that same year.
His first security gig was Senior IT Security Analyst at A. G. Edwards and Sons. His only work experience before that was Supervisor of Branch Installations.
This seems unbelievable, but that senior security position was his first IT experience.
I’m sure the only reason that only partial credit card numbers were stolen is that PCI makes it very hard for Panera to store complete credit card numbers (with expiration dates and the security code on the back).
B- How can a company have such a bad response? I think just about every big company has put a huge emphasis on data security. But hey, companies are big and technology is complex, so maybe data leaks still happen. But when they do, how can you treat them with such a lack of care? And how can the director of Security be alerted about this and not fix it? Seems potentially criminally negligent?
"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."
"At the risk of making my job harder (or possibly, easier?) it's clear I'm going to have to write an entire series of blog posts about how not to handle a data breach from a PR perspective. I'm sputtering over here. Gave @panerabread every courtesy and they treat me like an idiot"
"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like http://catering.panerabread.com , etc. Only proper response is to deep six entire site"
Krebs doesn't have to write his own blog series on how to handle breaches (although I might be interested in his version as well) Troy wrote a nice post about it
Most the IT Managers / Directors I've worked with were never from developer backgrounds. They were either an "IT Guy" that stuck it out or the "network guy" who's extent of knowledge is seemingly plugging in a network cable.
Between that and the fact most established businesses I've been in still treat IT like it's a necessary evil and waste of money, I'm not remotely surprised when stuff like this happens. My current company had a data breach, the IT Director swept it under the rug. I contacted my attorney for what I'm required to do to (to cover my ass). I emailed my managers and moved on down the road.
I love that the maintenance page has a button labeled "Order Online" (https://delivery.panerabread.com), which is the page/domain broken in the first place!
I'd revise that from "if a breach happens" to "if a breach happens and the CSO demonstrated criminal negligence." The attack surface for security is too large, and it's not fair to hold a CSO of a cafe chain to such a standard when zero-days are also possible. Punish for being negligent, not for being attacked by a zero-day, or something else really obscure.
True but worth mentioning different forces were at stake there and here (although both very dark).
In Swartz case, prosecutor was trying to make example of him because his public University made/is making tons of money for providing information that should be free (or already is)
In this case, I would imagine they want peoples info to be leaked and exposed as much as possible, just to have a good reason to fine those for-profit private companies.
Edit: in other words - show me a priest who doesn't want you to sin, or a cop who doesn't want you to break the law, or a doctor who is not fine with people getting sick. Otherwise they would all be out of job.
This is why you should lie as much as you can when dealing with for-profit corporations, especially online. Any information you give them will eventually be available to everyone, because they have no reason to care.
Wow, this story is amazing. Companiy got notified last August of a 0 day (no authentication) to download all customer records, but no action taken for half a year. Then a very bad PR stunt leading to even more exposure - one can't make this stuff up... its April 3rd already, right?? Wondering why they couldn't just really fix the problem? Would be interesting to learn more on how they do engineering? Eg. was it all outsourced and someone else tries to fix it now? This year is going to be good!
My natural gas provider can't get my bill to print with me emailing them for over a year.
So their old 1990s site, worked fine. Upgrade to new whizbang bullshit and a steady stream of emails still can't get it to simply use a CSS print routine. Outsourcing is glorious!
Cases like this are why I think the general public vastly overestimate the capabilities of government surveillance. These same people work at NSA, CIA, etc.
Not to insult the intelligence of these fine agency folk; my point is security is only as strong as its weakest link. And whether public or private, people can make some very weak choices.
So here's a fun note - as it turns out, the Panera Bread Director of Information Security mentioned in that email exchange worked at Equifax from 2009 to 2013. There's a comment mentioning it on that page, but you can find it just by looking at his LinkedIn: https://www.linkedin.com/in/mike-gustavison-b020426/
Time is a flat circle. Everything that has happened before will happen again. Every time it happens, we will hear "Security is our top priority" or "We take security very seriously."
[+] [-] somberi|8 years ago|reply
For companies operating in European Union, the General Data Protection Regulation (GDPR) (1) mandates that such breaches need to be disclosed under 72 hours. The implementation deadline for GDPR is by end of May 2018 (~7 weeks to go).
Underarmor, a US-based sports apparel manufacturer, who operates in EU as well, recently had a breach that affected 150-million users, and went public within 3 days of discovering the breach (2).
I believe UnderArmor's case is the norm we can expect going forward.
(1)https://en.wikipedia.org/wiki/General_Data_Protection_Regula... (2) http://www.bbc.com/news/technology-43592470
[+] [-] crescentfresh|8 years ago|reply
I found his initial interaction with their head of IT Security (very first initial response) laughably appalling:
And their response:[+] [-] mr_overalls|8 years ago|reply
This kind of incompetence directly endangers the privacy and security of anyone who does business with Panera. And it's reminiscent of the kind of incompetence that characterized the Equifax breach and other recent high-profile hacks.
Maybe it's time that a subset of IT workers become professionally licensed and liable, like engineers.
[+] [-] gargravarr|8 years ago|reply
>'demanding a PGP key would not be a good way to start off'.
Please tell me this man will be fired.
[+] [-] FRex|8 years ago|reply
Perhaps Mike knew that law and that's why he took Dylan's email as not genuine. Perhaps "yo fucka, I pwn'd your shit, tomorrow it's on the dark web if u no patch this link" would be the proper way to inform them of a leak.
Then again some people say it's good they didn't try to get Dylan arrested for "hacking".
[+] [-] ourmandave|8 years ago|reply
It's gotten so they have to run a diff to see if there's anything new.
[+] [-] perl4ever|8 years ago|reply
[+] [-] ams6110|8 years ago|reply
[+] [-] fantunes|8 years ago|reply
Coincidence? Strike two?
[+] [-] mr_overalls|8 years ago|reply
His first security gig was Senior IT Security Analyst at A. G. Edwards and Sons. His only work experience before that was Supervisor of Branch Installations.
This seems unbelievable, but that senior security position was his first IT experience.
[+] [-] yAnonymous|8 years ago|reply
I assumed for some time that installing backdoors is a good way to sell customer data you otherwise wouldn't be allowed to share.
[+] [-] UberBoll|8 years ago|reply
Mike Gustavison , Director of Info Sec , Panera Bread
[+] [-] kevin_thibedeau|8 years ago|reply
[+] [-] maxlybbert|8 years ago|reply
[+] [-] robbyt|8 years ago|reply
[+] [-] dx034|8 years ago|reply
[+] [-] tuna-piano|8 years ago|reply
B- How can a company have such a bad response? I think just about every big company has put a huge emphasis on data security. But hey, companies are big and technology is complex, so maybe data leaks still happen. But when they do, how can you treat them with such a lack of care? And how can the director of Security be alerted about this and not fix it? Seems potentially criminally negligent?
c- The tweets from Brian Krebs are also infuriating (and hilarious) https://twitter.com/briankrebs
Some highlights:
"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."
"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? https://delivery.panerabread.com/foundation-api/users/12345"
"you know what, let's go for 37M instead of 7M: https://delivery.panerabread.com/foundation-api/users/12345"
"At the risk of making my job harder (or possibly, easier?) it's clear I'm going to have to write an entire series of blog posts about how not to handle a data breach from a PR perspective. I'm sputtering over here. Gave @panerabread every courtesy and they treat me like an idiot"
"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like http://catering.panerabread.com , etc. Only proper response is to deep six entire site"
[+] [-] andimm|8 years ago|reply
https://www.troyhunt.com/data-breach-disclosure-101-how-to-s...
[+] [-] josefdlange|8 years ago|reply
Sometimes life imitates art.
[+] [-] justherefortart|8 years ago|reply
Between that and the fact most established businesses I've been in still treat IT like it's a necessary evil and waste of money, I'm not remotely surprised when stuff like this happens. My current company had a data breach, the IT Director swept it under the rug. I contacted my attorney for what I'm required to do to (to cover my ass). I emailed my managers and moved on down the road.
[+] [-] danso|8 years ago|reply
https://imgur.com/a/4xess
[+] [-] mxpxrocks10|8 years ago|reply
[+] [-] kardashev|8 years ago|reply
Instead of fines, the Chief Security Officer should be fully responsible and face 35 years in jail if a breach happens.
You better believe they'll care about security then.
Many companies would also rethink whether they need to track and keep personal information at all.
[+] [-] PakG1|8 years ago|reply
[+] [-] RKearney|8 years ago|reply
It's a shame it ended the way it did, but please don't downplay what he did and use his name to push an agenda.
[+] [-] 1690v|8 years ago|reply
[+] [-] joering2|8 years ago|reply
In Swartz case, prosecutor was trying to make example of him because his public University made/is making tons of money for providing information that should be free (or already is)
In this case, I would imagine they want peoples info to be leaked and exposed as much as possible, just to have a good reason to fine those for-profit private companies.
Edit: in other words - show me a priest who doesn't want you to sin, or a cop who doesn't want you to break the law, or a doctor who is not fine with people getting sick. Otherwise they would all be out of job.
[+] [-] unknown|8 years ago|reply
[deleted]
[+] [-] username223|8 years ago|reply
[+] [-] kerng|8 years ago|reply
[+] [-] stef25|8 years ago|reply
[+] [-] justherefortart|8 years ago|reply
So their old 1990s site, worked fine. Upgrade to new whizbang bullshit and a steady stream of emails still can't get it to simply use a CSS print routine. Outsourcing is glorious!
[+] [-] mvkel|8 years ago|reply
Not to insult the intelligence of these fine agency folk; my point is security is only as strong as its weakest link. And whether public or private, people can make some very weak choices.
[+] [-] JohnJamesRambo|8 years ago|reply
A summary of their plan is at https://request.network.
What things would prevent them from implementing this? Seems like a great way to stop losing credit card and identity info in breach after breach.
[+] [-] SeriousM|8 years ago|reply
[+] [-] kerng|8 years ago|reply
[+] [-] cheeze|8 years ago|reply
[+] [-] justherefortart|8 years ago|reply
[+] [-] DrScump|8 years ago|reply
[+] [-] corpMaverick|8 years ago|reply
[+] [-] hashkb|8 years ago|reply
[+] [-] dsacco|8 years ago|reply
Time is a flat circle. Everything that has happened before will happen again. Every time it happens, we will hear "Security is our top priority" or "We take security very seriously."
EDIT: This just got more interesting. Turns out that despite taking the site down for an hour earlier today, they didn't fix it: https://twitter.com/briankrebs/status/980944555423002630
Also, based on the vulnerability still working at this endpoint [1], Krebs revised his estimated number to 37 million records: https://twitter.com/briankrebs/status/980949205974953984
________________________________
1. https://delivery.panerabread.com/foundation-api/users/678141...
[+] [-] ryandrake|8 years ago|reply
[+] [-] portofcall|8 years ago|reply
I’d prefer crippling fines.
[+] [-] firstplacelast|8 years ago|reply
There’s no accountability and it’s about protecting everyone in that class at the expense of all other employees and consumers.
Yay, America!!