Slashdot Mirror
Panerabread.com Leaks Millions of Customers Records (krebsonsecurity.com)
An anonymous reader quotes a report from Krebs on Security: Panerabread.com, the website for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records -- including names, email and physical addresses, birthdays and the last four digits of the customer's credit card number -- for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.
Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].
Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].
Walk on home boy!
I have the last four digits from one company, and the first four digits from another.
What are the odds of guessing the full number?
'cause nobody made them. your data is your problem. not ours.
Does ANYONE know what they're doing with this sh!t?
Because at this point, all I can safely say is this: If it's online, it ain't secure... period. No matter who tells you it is, it ain't.
There's an entire industry based around exploiting these kinds of holes for financial gain.
panera, underarmour, zillow, trulia, dominos, wayfair etc etc. Track the sales/customer data, you have a very good idea of revenue numbers.
Security researcher though? Bleh.
luckily I always use a fake birthday for this marketing bullshit. I guess have fun with my email and home address. That's already listed on WHOIS
They're gonna be toast!
I we just reported the 2 companies that didn't hand over our data.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
My first thought was that Panera doesn’t have my credit card number, since I’ve always used NFC payments (Apple Pay) there. But still - with physical address, email address, and birthday, it probably wouldn’t take much for a bad guy to bluff his way into any number of my other accounts and/or steal my mail to get any physically sent verification (like Citi uses).
If it were only a matter of some jerk getting into my Panera account... but that is the least of my worries.
#DeleteChrome
Oh for crying out loud! Why the heck would anyone give your name, email address, physical addresses, or birthday to Panera bread just to do an online order! These data breaches are bad, but I'm sick and tired of everyone giving away completely unnecessary information! If the cashier says "What's your zip code" you say "no thanks." If the grocery store wants you to give your name and phone number to get a discount card either lie, or don't get the discount. Enough is enough folks! My sympathy has run out.
Always wondered why it cost $9 to get a kid-sized grilled cheese. Now I know it's to pay for cybersecurity lawsuits.
This is almost as disgusting as those bland bread rings they have the gall to call 'bagels'.
A consumer isn't liable for credit card fraud. A new credit card number is trivial to get (call number on back of card. report stolen).
But since you paid with Apple Pay, they've also got your Apple ID, and maybe even your phone number.
I don't respond to AC's.
I keep saying, the following penalty scheme will clean up data breaches right quick:
$1 per name, email, physical address
$2 per phone number
$3 per credit card number
$4 per SSN
And multiply for combinations thereof. You'll see how fast companies move to secure their data.
I suspect the guy in charge of web development is toast and will find it hard to pick up the crumbs and make new dough in future. At yeast he has his dignity. Right?
Just sign up with one of the tokenizing payment systems, like Apple Pay. The company itself does not have your credit card numbers, because they are in hardware you carry around. Each purchase generates a single-use card number that the vendor does not need to store anywhere after the transaction.
Somebody could hack into my loyalty account and take the free cookie I am due with three more visits.
I am expecting to get a Month Of Bagels out of this.
... or close to localhost at least. I always wondered what they did with all the data I send by mistake to 12.7.00.1
NetRange: 12.7.0.0 - 12.7.0.7
CIDR: 12.7.0.0/29
NetName: PANERA-B13-0-0
NetHandle: NET-12-7-0-0-1
Thanks to Carbs on Security for keeping us posted
They have no idea how it went for 8 months?
Here let me explain how it went for 8 months. The company didn't want to hire internal programmers and pay them a decent salary. They hired some 3rd party who gathers up programmers and pays them like shit and forces them to make everything in ancient technology because some manager running the project got promoted after using ancient technology and now only uses ancient technology. The site and its flaws are a fundamental reflection of its creation process and architecture.
Why would they do this? Why do they all do this? Well business people do not like technical people, business people have an ego and do not understand half of what IT people are saying. They are too afraid of being caught in a blame game so they shift the whole thing over to a 3rd party. They also abdicate control over a mission critical system to a 3rd party but hey who cares right, that is now their problem and everything can be settled with contract negotiations and meetings which is warm and comfortable like a blanket fresh out the dryer.
If these companies had a solid well paid respected internal team with good leadership we wouldn't read about cock-ups every other week. I feel like IT and management are having a cold war and neither of us are willing to blink. We demand to be paid properly for years of education and specialist experience, fair is fair. At some point management needs to put on their big boy pants, give the IT folks their due respect, pay and ability to work slowly and carefully on technical issues like architecture.
None.
Those of us who care about incidents like this are increasingly painted into a corner. The sheeple, on the other hand, just don't care. If they get a chance to trade their contacts list for 20 "reward points", they'll do it in a heartbeat. If you're on that list, too bad.
And companies like Panerabread continue to get away with this kind of nonsense.
Just once, I would love to see somebody whose family was affected by something like this put the entire lives of the offending corporation's board on-line. Names, addresses, tax returns, where their kids go to school...all of it. See how they like it when they face the same sort of exposure they inflict on others, with maybe a little interest added.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Gotta get that free birthday pastry, obviously.
Related, but not to this particular case.
In the EU, the GDPR will take effect in a couple of months and will have a penalty of up to 4% of worldwide turnover for these types of breaches.
I guess some really big companies will be affected by this in the years to come, and it will force a change of focus starting from the top of companies who want to do business in Europe.
Who's going to fucking jail for this? Who's going to fucking jail!!!
So, the card companies can asses a fine of up to $100,000 per month per violation. Per TFA, the number affected "exceed 37 million", and they knew about this for 8 months. Therefor, Panera / the processing bank/ "someone" should be hit with a $29,600,000,000,000. Well, the "whole PAN" wasn't exposed, only the last 4 out of 16. So, to be fair, the fine should be $7,400,000,000,000. I'm sure they have proper "errors and omissions insurance" to cover about 10% of GWP (global world production). I mean, that's what insurance is for, right? Ten percent, that's in The Bible!
Source
As long as there is no accountability, meaning somebody high up gets at least fired and a serious fine is imposed, nothing will change.
What is the real reason companies would do anything about it? Because it is a bit bad press and that will cost them a bit of customers. As a company I would say "Fuck it, save the data on every local PC in plain text. Much cheaper. We will deal with it when it happens"
Then when it happens, you just say 'Oops' and do it then.
Now if the fine where dependent on both the worth of the company and the number of people (not just accounts stolen or customers) it would be worthwhile for companies to invest in security.
Say with a minimum of 1USD per persons account hacked and more if the company is worth a lot.
That should be the low fine if they say that data has been breached. Times three if they don't.
And if they bought the data from another company, that company should be fined as well.
I bet you will hear much less about major hacks within a week. And they will be a LOT more careful about selling data, which should not be possible in the first place.
Without accountability? Meh!
Don't fight for your country, if your country does not fight for you.
Let me guess, another diversity hire?
Looking at the history of the report and Panera's response, it just reinforces my belief that "responsible disclosure" just serves to protect the company/vendor from liability and provides no incentive to change behavior. Immediate full disclosure would introduce some incentives to actually change behavior. Although a reasonable compromise might be cutting the time to disclosure down enough, this guy gave them eight months. Two weeks would be better.
This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
And here we have today's attack not stopped by APK's work. I guess he has admitted defeat and likely won't post to dispute this even if he does find someone who has created a hosts file entry that will stop this attack long after it has happened.
This is what we get from hiring cheap third world H1B labor. Third world labor, third world code. Best thing we can do is kill the entire H1B program and hire only American geeks to maintain these systems
Know how to stop falling victim to this shit?
It's dirt fucking simple .. stop giving every fucking company your fucking personal information.
Tech companies can barely implement security, you have no fucking reason to believe that Panera Bread can.
I refuse to sign up for this shit and hand over my information, because I assume it will either be misused, or hacked. I value my privacy more than I do some stupid little coupon.
Fuck marketing promotions, and no, you can't have my fucking email address or date of birth or anything else like that.
Panera has been on my do-not-buy-there list for some time. My favorite bagel is the jalapeno-cheese variety. The local Panera only made them occasionally. The last time I asked when they would be making them again, the snooty dipstick behind the counter said they were no longer making them. When I asked why, she said something about fat content or some related drivel. When I explained I exercise a lot and I'll eat anything I please and would you make them again, she said no way. I said you'll get no more business from me and adios.
Panera is one of those companies that's gotten too big for its britches. Screw these morons, I'll go elsewhere and be treated better.
Circle the wagons and fire inward. Entropy increases without bounds.
I always put April 1 as my birthday when companies ask for it for their membership bonus programs. It's easy to remember and after all, the joke's on them. Why would anyone give their real birth date to these kinds of things?
Give company sites like this fake names, fake birthday's etc.
I've lost track of how many different birthdays and names entered into web sites.
In other words, millions of people are outed as having eaten at Panera bread. What's next, making people own up to having gone to Olive Garden? Do these hackers have no shame?
He was Chief Security Officer at Equifax until 2013.