Why would you assume a security researcher who put in that much effort and kept the pastebin mostly anonymous didn't put in the effort to contact Panera Bread?
Is there a reason you automatically assume that the security researcher is irresponsible, but companies, who almost daily, have data breaches, are responsible in these scenarios?
"Hey, maybe you should contact the company?!" Thank you captain fucking obvious.
Come on - Panera Bread just isn’t some auto shop in your city.
Panera Bread is a company with over 2000 locations, almost 50,000 employees and more than $2 billion in revenue. They let highly sensitive information about millions of customers -- such as dietary requirements, contact details, credit card numbers -- remain publicly accessible for eight months, despite being alerted to it and accepting that it was a legitimate report. Then, once the media found out, they were misleading about the extent of the problem and didn’t even fix it properly.
There are not excuses for a company of Panera Bread's size, with someone actually employed as an 'Information Security Director', to be this incompetent.
Perhaps I'm naïve, but the fact this "breach" is being disclosed anonoymously, via a medium commonly associated with nefarious data dumps suggests to me that there really was little consideration paid to allowing Panera an opportunity to correct this situation.
Disclosing this as such was irresponsible, despite being an important discovery.
The head of security for Panera Bread seemed to become upset / confused when a security researcher asked about exchanging pgp keys... he worked at Equifax previously.
B- How can a company have such a bad response? I think just about every big company has put a huge emphasis on data security. But hey, companies are big and technology is complex, so maybe data leaks still happen. But when they do, how can you treat them with such a lack of care? And how can the director of Security be alerted about this and not fix it? Seems potentially criminally negligent?
"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."
"At the risk of making my job harder (or possibly, easier?) it's clear I'm going to have to write an entire series of blog posts about how not to handle a data breach from a PR perspective. I'm sputtering over here. Gave @panerabread every courtesy and they treat me like an idiot"
"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like http://catering.panerabread.com , etc. Only proper response is to deep six entire site"
I recall someone who was a security director at Panera Bread (a US based fast casual restaurant). Was confused and upset when a security researcher contacted them and asked to exchange a PGP key ... I suspect he straight up didn't understand what the request for a key meant or possibly even the issue as it was a very obvious issue and they did nothing about it until it hit the press.
This kind of incompetence directly endangers the privacy and security of anyone who does business with Panera. And it's reminiscent of the kind of incompetence that characterized the Equifax breach and other recent high-profile hacks.
Maybe it's time that a subset of IT workers become professionally licensed and liable, like engineers.
you seem to confuse being able to explain why something happens with whether or not it is a security breach. that this is an artefact of the recommendation algorithms does not change the importance of the information leaked.
and the argument "you should not be surprised companies fuck you over" simply gives away moral ground without a fight.
i really can't understand posts like yours. is the chance to appear world-weary and knowledgeable really worth selling your soul for?
I think it's at an entirely different level when it's a brand new company and a trivial security flaw. That just seems like incompetence, and he's absolutely right to suggest not trusting people like that with your data.
You're getting mad at the wrong person here, full stop. This is gross, inexcusable negligence and incompetence. I'm surprised this guy didn't wait more than a few months, given the severity of this problem.
> whilst protecting customer data from any opportunistic bad actor
Riiiight. Do you honestly think something this basic wouldn't be discovered by criminals soon, if not already?
Perhaps, but what I can blame them for is for having very poor monitoring (50% failure rate and nobody noticed??) and poor security, culminating in this data breach.
People need to be held accountable for the security of their systems when they are storing personally identifiable information on customers or the public at large.
Edit: Perhaps they shouldn't be blamed when someone leverages a zero-day to break in, but if this is due to their failure to patch their systems, IMO their 100% liable for everything that follows.
That wasn't a breach, a possible MitM != breach nor does putting data into an analytics company. I'm not saying they are blameless but it irks me when thinks like this are mislabeled and dilutes real breaches.
> One possible explanation, according to several veteran security experts consulted by Bloomberg, is that the investigation didn’t uncover evidence that data was accessed. Most data breach disclosure laws kick in only once there’s evidence that sensitive personal identifying information like social security numbers and birth dates have been taken.
There was one company (very well known) I know of that was breached, but their logging and general security infrastructure was so poor that they had no direct evidence that customer info was breached, so they didn't have to report the hack. They only found the intrusion due to excessive load the intruders caused on some services.
Customer info was certainly accessed (the attackers where everywhere), it's just there was no record of it as the records they kept where so few and far between.
Part of me thinks it's a pretty clever workaround to such laws.
It's not that "dishonesty doesn't matter" it's that you really shouldn't expect a company to go out of its way to call attention to its own screwup. They only want to bring this to the attention of people who need to know for security reasons, and they directly emailed all of those people. The sole purpose of the blog post was "oh, in case you heard about a security breach, you'll be happy to know that we've mitigated the problem. Aren't we doing great?" Even if you think the answer is "no," there is really nothing dishonest there.
That level and timeline of response tells you a great number of things, regardless of the source:
1) they had a plan for breaches (it would be hard to cover all the ground without one)
2) they had technical controls/capability to respond (mass password reset)
3) they had clear and direct accountability all the way up to ceo
Other than not having detected the breach, and using not-the-best (but not entirely the worst either) password storage, I don't know what else you could ask for.
I think the point OP was making that if the data hasn't surfaced, then you cannot confirm if a particular case of identity theft has been caused by the breach.
Due to fear of retaliation I decided initially not to share this story, but enough time has passed, and I feel the security community should know how one of the largest banks treats security researchers.
That's an extremely embarrassing response. Helps me understand how this data breach occurred if an organization is this uninformed about basic security.
Because you trusted the wrong people, and this has consequences.
The customer has to suffer from the mistakes of the companies so that:
1. She stops trusting any company blindly with her data.
2. The market demands improvements from the service providers (and no, sacrificing a scapegoat in court is not an "improvement").
3. Service companies react. Unless there's a major scandal, companies are slow to react to vulnerabilities.
About that last point, it's a bit unfair to assume that the activist tried to contact AT&T and they didn't react. I honestly don't know if that's what happened in this case, and I hope it is. However there are several cases of companies "turning a blind eye" on the issue.
As a customer, the only entity to blame when such a breach occur, is the provider that you entrusted with your data. Not the activists (regardless of their intents) nor the hackers or whatever monster you heard about in the media.
If I entrust (and pay) someone with my bike and it gets stolen on his watch, who's to blame? The thief or the guardian?
Why would you assume a security researcher who put in that much effort and kept the pastebin mostly anonymous didn't put in the effort to contact Panera Bread?
Is there a reason you automatically assume that the security researcher is irresponsible, but companies, who almost daily, have data breaches, are responsible in these scenarios?
"Hey, maybe you should contact the company?!" Thank you captain fucking obvious.
reply