Panerabread.com stored personal and financial details of over 37 million customers for around eight months before the bread-maker shut it down after being alerted by a security researcher, security writer Brian Krebs has revealed.
Sensitive customer info stored in plain text
Astonishingly, the website stored, without masking, the most detailed profiles of millions of customers who used the website to place their orders. Such details included names, email and physical addresses, birthdays and the last four digits of the customer’s credit card numbers.
In his popular security blog KrebsOnSecurity, Brian Krebs said that Panera was informed about the huge security hole in its website by security researcher Dylan Houlihan in August last year, but the company shut down the website only recently after investigating Houlihan's claims. The firm even dismissed his report initially, terming it as a scam, before it realised that what he alleged were true.
According to Krebs, personal and financial details of over 37 million customers were stored in plain text on Panerabread.com, and could be indexed and crawled by automated tools with very little effort. All these details continued to feature on the website until the website itself was taken down on 2nd April.
“Panera Bread uses sequential integers for account IDs, which means that if your goal is to gather as much information as you can instead about someone, you can simply increment through the accounts and collect as much as you’d like, up to and including the entire database,” said Houlihan.
Krebs added that details stored on the website also included customers' Panera loyalty card numbers which could also be exploited by fraudsters to make unauthorised purchases. While Panera initially claimed in an interview with Fox News that ten thousand customers were affected, Krebs challenged the firm's assessment and said that the number of people affected by the security flaw was as high as 37 million.
"Subsequent links shared by Hold Security indicate that this data breach may be far larger than the 7 million customer records initially reported as exposed in this story. The vulnerabilities also appear to have extended to Panera’s commercial division which serves countless catering companies.
"At last count, the number of customer records exposed in this breach appears to exceed 37 million. Thank you to Panera for pointing out the shortcomings of our research. As of this update, the entire Web site panerabread.com is offline," Krebs said.
Firms still not adequately protecting customer data
"Security is often as much about the response as prevention, and that includes how organizations respond to incidents and breaches. The market isn’t particularly forgiving when it comes to public incident response. Organizations that collect, store and transmit customer data need to have plans in place to deal with reported vulnerabilities. The time to plan is before an incident occurs, not during," says Tim Erlin, VP, Product Management and Strategy at Tripwire.
According to Lisa Baergen, director at NuData Security, this isn't the first time that customers have had their information leaked because of the "poor security procedures of companies transacting online, who continue to rely solely on plain text identifiers and static data such as credit card numbers, passwords and even simple customer names and phone numbers."
“The most proven and effective solutions for protecting customer are readily available and increasingly widely implemented: multi-layered security solutions that incorporate verification via passive biometrics, without adding friction, by evaluating a consumer’s inherent behaviour online during the transaction process.
"This field-proven approach lets the company confirm that a consumer is legitimate or a would-be fraudster before loss to the company can occur, even if the correct data - perhaps stolen - was used. And it also prevents the company’s reliance on the sort of personally identifiable customer data that’s once again been leaked.
"Ultimately, the shift to more advanced multi-layered solutions will, over time, render stolen information valueless to cybercriminals, as passive biometric verification defies use by third parties," she adds.