Slashdot Mirror

← Back to Stories (view on slashdot.org)

Panerabread.com Leaks Millions of Customers Records (krebsonsecurity.com)

Posted by BeauHD on from the when-it-rains-it-pours dept.

An anonymous reader quotes a report from Krebs on Security: Panerabread.com, the website for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records -- including names, email and physical addresses, birthdays and the last four digits of the customer's credit card number -- for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned. The data available in plain text from Panera's site appeared to include records for any customer who has signed up for an account to order food online via panerabread.com. The St. Louis-based company, which has more than 2,100 retail locations in the United States and Canada, allows customers to order food online for pickup in stores or for delivery.

Another data point exposed in these records included the customer's Panera loyalty card number, which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer loyalty accounts. It is not clear yet exactly how many Panera customer records may have been exposed by the company's leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million. It's also unclear whether any Panera customer account passwords may have been impacted. In a written statement, Panera said it had fixed the problem within less than two hours of being notified by KrebsOnSecurity. But Panera did not explain why it appears to have taken the company eight months to fix the issue after initially acknowledging it privately with [security researcher Dylan Houlihan, who originally notified Panera about customer data leaking from its website back on August 2, 2017].

58 of 88 comments (clear)

  1. Pantera by fattmatt · · Score: 4, Funny

    Walk on home boy!

    1. Re:Pantera by wardrich86 · · Score: 1

      I wish I had mod points today :(

    2. Re:Pantera by Anonymous Coward · · Score: 1

      Pantera Bread

      A Vulgar Display of Flour

  2. Four by four by dohzer · · Score: 1

    I have the last four digits from one company, and the first four digits from another.
    What are the odds of guessing the full number?

    1. Re:Four by four by Anonymous Coward · · Score: 1

      100,000,000:1

      Then you still need the security code on the back.
      which is 100,000,000,000:1

      And/or possibly the billing zip code.
      which would be 10,000,000,000,000:1

      But hey, you're getting there!

    2. Re: Four by four by Anonymous Coward · · Score: 3, Insightful

      Easy, just call up the card owner, tell them you're from the bank and verify with the last four digits. They'll give it to you no problem!

    3. Re:Four by four by Anonymous Coward · · Score: 1

      The TFA said the breach included the physical addresses. You have the ZIP code.

    4. Re: Four by four by dclydew · · Score: 2

      The first 6 digits are the BIN range which identify the Card Type (first digit) and Issuing Bank (rest of the BIN). Those are not (by themselves) sensitive. The PCI specification states that the first 6 and last 4 digits of a PAN may be in the clear i.e. 5555 43** **** 3232 and that this has a difficulty of being guesses of 10^6 (due to Luhn check).

      As long as the middle 6 are not exposed, then first 6/last 4 isn't a 'huge' concern from a card compromise perspective. It is however, a large risk from a social engineering perspective. An attacker could answer certain security questions and/or pretend to be someone who legitimately has that kind of information and convince people to think they are an appropriate organization to share further information with.

      --
      Get a life, not a lifestyle. - Hikem Bey
    5. Re: Four by four by OrangeTide · · Score: 1

      I think it was a rhetorical question. Not that he was seeking the answer to it, but he was trying to make a point with it.
      But maybe I'm giving him too much credit.

      --
      “Common sense is not so common.” — Voltaire
  3. But Panera did not explain by john+of+sparta · · Score: 2

    'cause nobody made them. your data is your problem. not ours.

  4. Good grief by Anonymous Coward · · Score: 2, Interesting

    Does ANYONE know what they're doing with this sh!t?

    Because at this point, all I can safely say is this: If it's online, it ain't secure... period. No matter who tells you it is, it ain't.

    1. Re:Good grief by OrangeTide · · Score: 1

      They send me coupons for sandwiches. And probably sell my data to marketing firms, most likely for regional spending statistics.

      Also with the account I can order online for pick up, and I get a free pastry sometimes (I think once a month?)

      --
      “Common sense is not so common.” — Voltaire
    2. Re: Good grief by Anonymous Coward · · Score: 1

      Paypal is the biggest target with the most bank account and credit card details by far: zero hacks. Hate the company, but they have a secure system.

    3. Re: Good grief by Anonymous Coward · · Score: 1

      While you're at it, say 'Voldemort'.

  5. hah. by rogoshen1 · · Score: 2

    There's an entire industry based around exploiting these kinds of holes for financial gain.

    panera, underarmour, zillow, trulia, dominos, wayfair etc etc. Track the sales/customer data, you have a very good idea of revenue numbers.

    Security researcher though? Bleh.

    1. Re:hah. by b0s0z0ku · · Score: 1

      The fate of Panera as a company and/or insider trading should be the least of the worries. Just another big chain. I'm more worried about the customers who were compromised,

  6. Uh OOO! by EETech1 · · Score: 3, Funny

    They're gonna be toast!

  7. It'd be easier by Ol+Olsoc · · Score: 3, Funny

    I we just reported the 2 companies that didn't hand over our data.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:It'd be easier by Voyager529 · · Score: 1, Funny

      I we just reported the 2 companies that didn't hand over our data.

      Blockbuster and Funcoland.

  8. Are you any safer w/o credit card #? by 93+Escort+Wagon · · Score: 3, Informative

    My first thought was that Panera doesn’t have my credit card number, since I’ve always used NFC payments (Apple Pay) there. But still - with physical address, email address, and birthday, it probably wouldn’t take much for a bad guy to bluff his way into any number of my other accounts and/or steal my mail to get any physically sent verification (like Citi uses).

    If it were only a matter of some jerk getting into my Panera account... but that is the least of my worries.

    --
    #DeleteChrome
    1. Re:Are you any safer w/o credit card #? by omnichad · · Score: 5, Informative

      NFC from the actual, physical card can send the full track 1 data, including 16-digit account number (Apple Pay shares a virtual number). It's a real card number and could still be potentially used online - just can't be cloned to a magstripe card and used, and can't be used online without the 3-digit code off the back.

    2. Re:Are you any safer w/o credit card #? by jittles · · Score: 1

      NFC from the actual, physical card can send the full track 1 data, including 16-digit account number (Apple Pay shares a virtual number). It's a real card number and could still be potentially used online - just can't be cloned to a magstripe card and used, and can't be used online without the 3-digit code off the back.

      NFC does send the track 1 and 2 data, yes. However, there are two different ways to send NFC data. There is NFC EMV and NFC MSR. The former sends a virtual account number and CVC based on the information from the transaction that is included in the payload of the transaction, and cannot be replayed. The latter sends your exact card data, with a different CVC that is only valid for NFC, and can be replayed. Apple Pay uses the EMV format for sending NFC data. It is not replayable. And account numbers are not always 16 digits. The valid range is 13-19 digits depending on the BIN range used for the card. Some brands are shorter than others, and some, like Visa and Mastercard, have multiple length possibilities.

  9. Stop giving them personal information doofuses! by MobyDisk · · Score: 4, Insightful

    Oh for crying out loud! Why the heck would anyone give your name, email address, physical addresses, or birthday to Panera bread just to do an online order! These data breaches are bad, but I'm sick and tired of everyone giving away completely unnecessary information! If the cashier says "What's your zip code" you say "no thanks." If the grocery store wants you to give your name and phone number to get a discount card either lie, or don't get the discount. Enough is enough folks! My sympathy has run out.

    1. Re:Stop giving them personal information doofuses! by b0s0z0ku · · Score: 1

      Because it's easy and doable without human interaction, likely via the Web or through an "App". And not everyone has a local bodega they can call (as in call, on the phone) and have yummy food ready in 5 minutes.

    2. Re:Stop giving them personal information doofuses! by Cinnamon+Beige · · Score: 1, Insightful

      If you're ordering delivery, you're going to have a very interesting time getting your order without providing a physical address for it to be delivered to.

    3. Re:Stop giving them personal information doofuses! by RightwingNutjob · · Score: 1, Funny

      Leave food behind shrub to the left of the park bench. Place chalk mark on mailbox after you've made the drop. You're right, that is interesting.

    4. Re:Stop giving them personal information doofuses! by omnichad · · Score: 1

      Why the heck would anyone give your name, email address, physical addresses, or birthday to Panera bread

      Same account includes loyalty program.

      email address: get rewards info, order confirmation
      physical address: get delivery, card billing info
      birthday: get birthday rewards

    5. Re:Stop giving them personal information doofuses! by MobyDisk · · Score: 2

      Panera delivers? The ones near me don't. I figured this was for a pick-up order.

    6. Re:Stop giving them personal information doofuses! by houghi · · Score: 1

      One does not exclude the other. I should be able to give a company my details without them being given to somebody else. Be it by hacking or selling.
      OTOH they should not be allowed to ask and store information they do not need.

      The laws should show that sentiment. You know, like laws for the people, by the people.
      If 6 peoples details are leaked, they are idiots. If 60 peoples details are leaked, there is a need to see what is going on. If 6.000.000 people are leaked, you can only call them victims. It means that you can not blame them for being stupid.
      It is the same excuse as "She should not have worn a short skirt."

      --
      Don't fight for your country, if your country does not fight for you.
    7. Re:Stop giving them personal information doofuses! by Cinnamon+Beige · · Score: 1

      Panera delivers. It may not have rolled out yet where you are, but where I am, they started delivery late last year with their own drivers.

    8. Re:Stop giving them personal information doofuses! by SirSlud · · Score: 1

      These data breaches are bad, but I'm sick and tired of everyone giving away completely unnecessary information!

      Nobody is asking you to feel sorry for people. That doesn't mean you have to be okay with companies being incompetent at handling consumer data. Yikes dude, sounds like somebody wants to live in the fantasy of a just world, where everything happens because people deserve it, and we never have to care about anything.

      --
      "Old man yells at systemd"
    9. Re:Stop giving them personal information doofuses! by jittles · · Score: 1

      Oh for crying out loud! Why the heck would anyone give your name, email address, physical addresses, or birthday to Panera bread just to do an online order! These data breaches are bad, but I'm sick and tired of everyone giving away completely unnecessary information! If the cashier says "What's your zip code" you say "no thanks." If the grocery store wants you to give your name and phone number to get a discount card either lie, or don't get the discount. Enough is enough folks! My sympathy has run out.

      This data is collected by Panera’s loyalty program. They send you free things on your birthday. If you have food delivered, which Panera offers, you must give them a delivery address. So if you always did online order, in store pickup, without using a loyalty card, they do not have (nor did they ask for) that data. They would only have your payment details in that case. Even if they did not ask for that data, however, they could acquire it. You have to provide your zip code for 3D Secure to work, so they could easily take your card holder information, plus your zip code to determine your address, birthday, etc without you ever having any consent in the matter. So please stop the victim blaming.

  10. So That's Why They're so Expensive by Anonymous Coward · · Score: 1

    Always wondered why it cost $9 to get a kid-sized grilled cheese. Now I know it's to pay for cybersecurity lawsuits.

  11. Ick. by damnbunni · · Score: 1

    This is almost as disgusting as those bland bread rings they have the gall to call 'bagels'.

  12. monetize it if you think it's valuable by supernova87a · · Score: 3, Interesting

    I keep saying, the following penalty scheme will clean up data breaches right quick:

    $1 per name, email, physical address
    $2 per phone number
    $3 per credit card number
    $4 per SSN

    And multiply for combinations thereof. You'll see how fast companies move to secure their data.

  13. Holy crumbs! by Anonymous Coward · · Score: 1

    I suspect the guy in charge of web development is toast and will find it hard to pick up the crumbs and make new dough in future. At yeast he has his dignity. Right?

    1. Re:Holy crumbs! by Hognoxious · · Score: 1

      You can't prove that, and I'm not going to rise to the bait.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  14. Online retailers don't have to store this info by Applehu+Akbar · · Score: 1

    Just sign up with one of the tokenizing payment systems, like Apple Pay. The company itself does not have your credit card numbers, because they are in hardware you carry around. Each purchase generates a single-use card number that the vendor does not need to store anywhere after the transaction.

    1. Re:Online retailers don't have to store this info by b0s0z0ku · · Score: 2

      Or just pay good, old-fashioned, cold, hard cash to a vendor that's not a large corporation. Call a restaurant for delivery or just pick up yourself.

  15. Re:You're probably in worse shape by 93+Escort+Wagon · · Score: 4, Insightful

    But since you paid with Apple Pay, they've also got your Apple ID, and maybe even your phone number.

    You don’t seem to know how Apple Pay works - neither piece of information is involved. Additionally, the bank holds any financial liability - not the consumer.

    --
    #DeleteChrome
  16. This is bad by wyattstorch516 · · Score: 2, Funny

    Somebody could hack into my loyalty account and take the free cookie I am due with three more visits.

  17. Re:You're probably in worse shape by LifesABeach · · Score: 2

    i wish i could mod you up, ran out of points. but your right. most credit card fraud is treated as shop lifting. so the store gets to deal with it.

  18. Security Hole = Pastry Hole by cstacy · · Score: 1

    I am expecting to get a Month Of Bagels out of this.

  19. Hit close to home by ace123 · · Score: 3, Funny

    ... or close to localhost at least. I always wondered what they did with all the data I send by mistake to 12.7.00.1

    NetRange: 12.7.0.0 - 12.7.0.7
    CIDR: 12.7.0.0/29
    NetName: PANERA-B13-0-0
    NetHandle: NET-12-7-0-0-1

  20. Thanks to... by orcundead · · Score: 1

    Thanks to Carbs on Security for keeping us posted

  21. Consequences? by hyades1 · · Score: 2

    None.

    Those of us who care about incidents like this are increasingly painted into a corner. The sheeple, on the other hand, just don't care. If they get a chance to trade their contacts list for 20 "reward points", they'll do it in a heartbeat. If you're on that list, too bad.

    And companies like Panerabread continue to get away with this kind of nonsense.

    Just once, I would love to see somebody whose family was affected by something like this put the entire lives of the offending corporation's board on-line. Names, addresses, tax returns, where their kids go to school...all of it. See how they like it when they face the same sort of exposure they inflict on others, with maybe a little interest added.

    --
    I've calculated my velocity with such exquisite precision that I have no idea where I am.
  22. GDPR by Dj+Offset · · Score: 1

    Related, but not to this particular case.

    In the EU, the GDPR will take effect in a couple of months and will have a penalty of up to 4% of worldwide turnover for these types of breaches.

    I guess some really big companies will be affected by this in the years to come, and it will force a change of focus starting from the top of companies who want to do business in Europe.

  23. jail time NOW! by AndyKron · · Score: 1

    Who's going to fucking jail for this? Who's going to fucking jail!!!

  24. Per PCI Compliance, Panera could owe... by l0n3s0m3phr34k · · Score: 1

    So, the card companies can asses a fine of up to $100,000 per month per violation. Per TFA, the number affected "exceed 37 million", and they knew about this for 8 months. Therefor, Panera / the processing bank/ "someone" should be hit with a $29,600,000,000,000. Well, the "whole PAN" wasn't exposed, only the last 4 out of 16. So, to be fair, the fine should be $7,400,000,000,000. I'm sure they have proper "errors and omissions insurance" to cover about 10% of GWP (global world production). I mean, that's what insurance is for, right? Ten percent, that's in The Bible!

    Source

  25. Re:You're probably in worse shape by Stan92057 · · Score: 1

    Come on, your not that naive to think every last penny of CC fraud is not passed to the consumers?? here a link to just the fees business have to pay..forget the humongous rates they charge you for the loan they made you 25% and up.

    https://www.merchantmaverick.com/the-complete-guide-to-credit-card-processing-rates-and-fees/#Breakdown_of_All_Credit_Card_Processing_Fees

    They are laughing all the way to the bank.

    --
    Jack of all trades,master of none
  26. Accountability by houghi · · Score: 1

    As long as there is no accountability, meaning somebody high up gets at least fired and a serious fine is imposed, nothing will change.

    What is the real reason companies would do anything about it? Because it is a bit bad press and that will cost them a bit of customers. As a company I would say "Fuck it, save the data on every local PC in plain text. Much cheaper. We will deal with it when it happens"
    Then when it happens, you just say 'Oops' and do it then.

    Now if the fine where dependent on both the worth of the company and the number of people (not just accounts stolen or customers) it would be worthwhile for companies to invest in security.

    Say with a minimum of 1USD per persons account hacked and more if the company is worth a lot.
    That should be the low fine if they say that data has been breached. Times three if they don't.
    And if they bought the data from another company, that company should be fined as well.

    I bet you will hear much less about major hacks within a week. And they will be a LOT more careful about selling data, which should not be possible in the first place.

    Without accountability? Meh!

    --
    Don't fight for your country, if your country does not fight for you.
  27. Irresponsible disclosure by jbmartin6 · · Score: 1

    Looking at the history of the report and Panera's response, it just reinforces my belief that "responsible disclosure" just serves to protect the company/vendor from liability and provides no incentive to change behavior. Immediate full disclosure would introduce some incentives to actually change behavior. Although a reasonable compromise might be cutting the time to disclosure down enough, this guy gave them eight months. Two weeks would be better.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  28. Third world programmer==third world code by Eravnrekaree · · Score: 1

    This is what we get from hiring cheap third world H1B labor. Third world labor, third world code. Best thing we can do is kill the entire H1B program and hire only American geeks to maintain these systems

  29. Re:You're probably in worse shape by tsqr · · Score: 1

    From your linked article:
    Transactional Fees
    These fees are assessed every time you run a transaction. They represent the biggest cost of operating a merchant account.

    So, how big is the transactional fee? According to the article, 2.10% plus $0.10. IMHO, that's not unreasonable for the convenience. Of course, it's passed on to consumers. All the consumers. Even the ones who pay cash. So, if you're paying cash, you're subsidizing the ones who use credit cards.

    And of course, the humongous interest the CC issuer charges is only an issue if you carry a balance. Yeah, I know, lots and lots of people carry significant credit card debt. Personally, I haven't paid a dime in credit card interest in many years.

  30. another reason to avoid Panera by NikeHerc · · Score: 1

    Panera has been on my do-not-buy-there list for some time. My favorite bagel is the jalapeno-cheese variety. The local Panera only made them occasionally. The last time I asked when they would be making them again, the snooty dipstick behind the counter said they were no longer making them. When I asked why, she said something about fat content or some related drivel. When I explained I exercise a lot and I'll eat anything I please and would you make them again, she said no way. I said you'll get no more business from me and adios.

    Panera is one of those companies that's gotten too big for its britches. Screw these morons, I'll go elsewhere and be treated better.

    --
    Circle the wagons and fire inward. Entropy increases without bounds.
  31. Re:No Idea? by supremebob · · Score: 1

    With Panera Bread, it's probably more like they let an outside vendor put in equipment on their network that wasn't secured properly, and they were probably relying on a separate (incompetent) vendor to insure that their network was secure.

  32. Actual birthdays?? by magarity · · Score: 1

    I always put April 1 as my birthday when companies ask for it for their membership bonus programs. It's easy to remember and after all, the joke's on them. Why would anyone give their real birth date to these kinds of things?

  33. Fun fact about the CIO... by SmokeyRobot · · Score: 2

    He was Chief Security Officer at Equifax until 2013.