Panera's website has evidence that it has leaked millions of customer records. Reported today by KrebsOnSecurity, personal information including names, emails, physical addresses, birthdays and the last four digits of the customers' credit card numbers were leaked. The website was pulled offline yesterday temporarily by the company.
However, Krebs believes the information was posted in plain text on Panera's site for at least eight months before the retailer took down the information. Krebs says a security researcher, Dylan Houlihan, discovered the breach last year and when Houlihan consulted with Panera, the company initially dismissed his findings as a scam.
The posted data included records for any customer who has signed up for an account to order food online. Also exposed was the customer's loyalty card number, which could be used to spend prepared accounts or to siphon loyalty value by a hacker.
Panera.com briefly was taken offline for a few hours but is now is back up and running. Although the business claims that around 10,000 consumers may have been affected, Krebs estimates a number much higher, probably in the millions.
RELATED: Consumer privacy critical after store closure
Eater published a statement from Panera:
"Panera takes data security very seriously and this issue is resolved. Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved. Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue and we are working diligently to finalize our investigation and take the appropriate next steps."
The exact number of consumer records exposed is not clear yet, but KrebsOnSecurity suggests it might be higher than 7 million.
The news comes less than 24 hours after Hudson's Bay reported that millions of credit card and debit card information was exposed at its Saks Fifth Avenue, Saks Off 5th and Lord & Taylor U.S. locations.
But Panera denying the extent of the security breach can have three long-term consequences, according to Zohar Steinberg, founder and CEO of Token, a mobile app that enables individuals to shop securely by disguising their payment details and creating a pseudo identity.
First, the denial can have extended PR damage. An example is the Target breach from several years ago, Steinberg said.
"We see that many consumers avoid doing business with brands who had poor security and got breached, such as Equifax, Uber and the list is long," he said.
Second, Panera could open itself up to lawsuits with heavy settlements. Target, for example, had to pay $18.5 millions following a massive data breach in late 2013. Equifax was hit with a rare 50-state class-action lawsuit, while Uber was hit with two lawsuits over a gigantic 2016 data breach.
Finally, Panera could face regulatory fines. For example, the NYDFS implements cybersecurity regulation, which places new security requirements on all covered financial institutions.
He reinforces that working with security providers and treating customers' data properly is a must.
"By encouraging shoppers to be proactive in protecting their personal data, the rate at which merchants experience fraud will decrease," Steinberg said. "Products such as ApplePay and Android Pay or other apps that tokenize payment information are a great way for consumers to keep their credit card numbers offline and out of harm’s way."
Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard, a leader in security ratings, believes that Panera should publicly acknowledge that they have room to improve their security.
Yampolskiy cited SecurityScorecard research supporting this notion. Panera's grade declined by 9% (out of a 100) in the past 6 months, lagging behind their peers in the industry in Endpoint Security (updating their browsers and OS) as well as IP Reputation (how fast an internal malware infection) is stopped by their systems.
"My guess here was that—not that they didn’t know what to do, but that they didn’t have adequate buy-in and support from other stakeholders in the organization to enable the security team to succeed," he added.
George Avetisov, CEO of HYPR, a leader in decentralized authentication, calls the Panera breach unusual because the discovery appears to have been confirmed, yet it failed to get the proper fixes for an extended period of time.
"It's important that a company with a confident security posture back up a stated commitment with a decisive operational fix and perhaps an independent review by a reputable security firm," Avetisov said.
Avetisov also warned other retailers about centralized data storage, as it creates a large attack surface and a single point of failure that hackers are can easily target.
"These vulnerabilities also make it likely for internal threats such as accidental loss of consumer data to occur. We keep learning the hard lesson that it's not a matter of if centrally held data will be breached, it's a matter of when," he added.
Moving forward, Avetisov warns that there's a paradigm shift taking place to address unfortunate security incidents that damage brands and erode trust.
"We're seeing breach after breach of data thought to be out of the reach of malicious third parties, or immune to accidental loss. The old model of warehousing consumer and even employee data for accessing company systems hasn't kept pace with the threats and the scale of damage caused by lost data," he said.
However, not to fear as companies are finding that decentralizing credentials—biometrics, PINs, passwords, bankcards—greatly reduces the risk of a data breach, lowers IT costs, and provides the end user an even faster checkout experience.
Yampolskiy's advice would be for retailers to make sure they focus on cybersecurity by using dynamic tools like WhiteHat and static code analysis tools like Fortify to look for app sec vulnerabilities, and conducting periodic red-team assessments.
"The key gap is that companies often don’t know how their external attack surface looks like—they need to rely more on OSINT to see 'what hackers see'—and understand their level of exposure," he said.