The fast-casual restaurant Panera Bread scrambled to takedown a portion of its site this week, eight months after it learned about the issue, that was leaking the personally identifiable information of millions of customers.
A slew of information belonging to customers who ordered through Panera's ordering portal at more than 2,100 retail locations in the U.S. and Canada was leaked through the site. The information contained customers' usernames, first and last names, email addresses, phone numbers, birthdays, addresses, and perhaps most serious, the last four digits of any saved credit card number they used.
Until it was taken down, the culprit, an unauthenticated API endpoint, could have allowed anyone to view the data, even if they had never ordered from Panera or set up an account.
Dylan Houlihan, the security researcher who uncovered the endpoint, first reported the issue to the company's Information Security Director, Mike Gustavison, last August. Houlihan was initially rebuffed but eventually was able to share his findings. After five days of radio silence Gustavison told the researcher Panera was "working on a resolution."
That resolution never came to fruition. Eight months after he reported the issue Houlihan reached out to both web security expert Troy Hunt and security reporter Brian Krebs to disclose the vulnerability.
It was only after Krebs published his blog on the issue that the company took its site offline for an hour to address the issue.
It's unclear exactly how many customers may be impacted. Krebs first suggested more than seven million customers may have had their information left out in the open. Researchers posited Monday that Panera’s commercial division, which services catering companies, was also affected. If true the number of breached customer records may hover somewhere around 37 million.
Krebs attributed the number after receiving links shared by Hold Security LLC, an Wisconsin-based security consultancy that assisted him in researching following last fall's Equifax breach.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site
— briankrebs (@briankrebs) April 2, 2018
In addition to the last four digits of a customers' credit card being leaked, customer account IDs were also prominently featured in the database. According to Houlihan, if an attacker wanted to, they could move laterally around the database, account number by account number, in order to gather information about a customer.
whitepaper Digital Guardian Technical Overview |
“You don’t need to target any specific user or interact with them whatsoever to collect this information. You don’t even need to be logged in. You can just increment that number sequentially, and you’ll grab every single user in the database,” Houlihan wrote in a Medium post on his findings.
Panera didn't immediately return a request for comment on Tuesday but told the popular restaurant blog Eater that as a result of the incident there was no evidence payment card information or customer records were accessed or retrieved.
Panera continued to downplay the incident in its statement, insisting that "fewer than 10,000 consumers have been potentially affected by this issue," a figure that doesn’t ring true with Krebs’, nor Hold Security’s findings.
“Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue.
Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps.”
It's the second high profile breach to make headlines this week. On Sunday department stores Saks Fifth Avenue, Saks OFF 5th, and Lord & Taylor revealed that its parent company, Hudson Bay Co. suffered a breach of its payment systems, something that impacted five million credit cards.