U.S. Markets closed

How Panera Bread Fumbled Its Data Leak—And What to Learn From Its Mistakes

Robert Hackett

Panera Bread messed up big time.

Even without getting into the technical failures that caused the restaurant giant to leak personal information for what appears to be millions of customers, the company’s handling of the bug reporting and breach disclosure processes alone proved abominable. They represent a masterclass in how not to behave when confronted with a cybersecurity predicament.

It’s worth reviewing what the company got wrong so that other organizations can learn from its mistakes. Fortune has pulled together five lessons that companies can take away from the data-exposing debacle, which left Panera customers’ names, email and street addresses, birthdays, and the last four digits of their payment cards out in the open for months.

The purpose here is not to bash Panera--although such criticism seems to be warranted--but rather to learn from its foul-up. “The story here isn't the vulnerability, it's the response,” M?rten Mickos, CEO of HackerOne, a bug bounty reporting firm, told Fortune in an email.

Read more: “Google’s Elite Hacker SWAT Team vs. Everyone

Moreover, it’s about what other businesses may do when they find themselves in a similar situation. Dylan Houlihan, the security researcher who originally discovered the exposed customer data (including his own) and reported it to Panera in August 2017, found himself ignored by the company for months. Fed up, he posted his findings publicly to force Panera’s hand into fixing the security bug. But as even he put it in a post on Medium: focusing strictly on this one company would be myopic.

“It's easy to bully Panera Bread for this, but in my opinion we need to take Panera Bread's actions as symptomatic of a much larger issue with security reporting and compliance,” wrote Houlihan, founder of Breaking Bits, a New York-based digital security firm. “This is not a problem unique to any particular type of company. This has happened before and it will continue to happen.”

The below points lay out where Panera stumbled. (Panera did not reply to Fortune’s request for comment, including one seeking to verify Houlihan’s account of their interactions.)

To avoid the same pitfalls, read on.

1. Post a contact page for bug reports

If a company has no dedicated webpage that clearly details the process for security researchers to submit vulnerability reports, then it is setting itself up to fail from the get-go. This page should ideally be separate from a standard customer support line, where ordinary users might go to report hijacked accounts, and the submissions to it should promptly be reviewed by security pros with the right qualifications. Look to companies such as Google, Microsoft, Facebook, and Apple, for outstanding examples of such contact pages.

When Houlihan sought the proper reporting channel at Panera, he found no such thing. Instead, he took a shot in the dark by guessing at what might be an appropriate e-mail address, security@panerabread.com. When the message he sent there bounced back, Houlihan said he tried reaching out to the company on Twitter and then LinkedIn. Eventually, a mutual connection in the cybersecurity industry provided him an introduction to Panera’s information security director.

Researchers shouldn’t have to jump through so many hoops to help a company out. This doesn’t mean that companies have to offer bug bounties, or rewards for finding security flaws (as much as they’re appreciated); they just need to provide an avenue for researchers to responsibly disclose vulnerabilities. Help them help you.

2. Don’t shoot the messenger

It should go without saying, but you should treat people with courtesy.

When Houlihan heard back from Panera’s security lead, the employee took a defensive stance and seemed to accuse the researcher of being a scammer. In an initial email exchange posted by Houlihan to Medium, the security team leader said his group ignored Houlihan’s pleas because they were “very suspicious and appeared scam in nature.” “If this is a sales tactic,” the director chastised Houlihan in an email reply, then Houlihan’s attempt at an approach “would not be a good way to start off.”

Everyone has a bad day, sure. But if Houlihan’s advances “appeared scam in nature,” it’s likely because the researcher had to dig up, in the absence of a dedicated bug reporting page, alternate means of reaching Panera’s security team, including affiliated social media accounts. This misunderstanding could have been prevented if Panera offered a clear vulnerability reporting policy. In other words, see point No. 1; and if you don’t have such a bug reporting policy in place, at least give researchers the benefit of the doubt when they come knocking.

3. Don’t leave a tipster hanging

Be prompt in your reply.

According to Houlihan, after he persuaded the security director to send him a PGP key--an encryption tool designed to protect communications--and used it to send over his vulnerability report, the security team leader went silent. Houlihan said he repeatedly emailed the manager over the course of several days, as the time stamps on his email messages seem to indicate, to ask for an update. To be fair, one might note that the (mostly one-sided) exchange occurred in the midst of a summer weekend. Still, it took six days for Panera’s security lead finally to reply: “Thank you for the information we are working on a resolution.”

Don’t leave bug reporters dangling, especially when customer data is potentially on the line. Companies should provide clear guidance to researchers, letting them know how long they can expect to wait to hear back as well as any justifications for delay. People tend to be understanding.

4. Fix things. Promptly.

When you know something is broken, fix it.

From the time of Houlihan’s bug submission, Panera allegedly let eight months go by without addressing the vulnerability that exposed people’s information. (Houlihan said in his recap that he “checked on this vulnerability every month or so…. So I personally know for a fact that it was never patched in the interim. And even if it was, that it would be fixed and inadvertently reintroduced is nearly as bad as not fixing it at all.”) This inaction drove Houlihan to post his findings online, and to approach an investigative journalist, Brian Krebs, in the hopes of garnering attention for the issue, escalating its priority, and thereby forcing Panera to patch the hole in its systems.

Casey Ellis, founder and chief technology officer of Bugcrowd, a bug bounty startup, said in an email that its shame when researchers must resort to “full disclosure”--revealing their findings to the public before an organization has addressed the issue--but it is sometimes the only way to get a vulnerability fixed. “Full Disclosure is a necessary but inherently disruptive thing: It's the last tool available to security researchers when a risk they've identified is being ignored,” he wrote to Fortune. “Vendors should work to avoid it, and in an ideal world it is completely unnecessary for a vulnerability.”


5. But don’t rush out a flawed response

Take the time to understand what’s wrong, and to address it.

After Krebs’ story published Tuesday, Panera appeared to attempt to commandeer the narrative by supplying a hasty response to inquiring news outlets, like Fox News, that claimed the problem was less significant than it was. John Meister, Panera’s chief information officer, said in a statement quoted by Fox that “this issue is resolved” and that “our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue.” Krebs followed up by posting tweets that demonstrated how many more people--perhaps as many as 37 million--could have been, and likely still were at that time, affected.

A better reply would have been something along the lines of, “we are working diligently to address these issues and will provide an update when we have more information to share.”

Please, run a proper audit first. Don’t downplay security issues when you don’t yet have the full picture. Dashing off a statement based on a most preliminary understanding, as Panera appears to have done, runs the risk of spreading misinformation, deliberately or not, which will only serve to hurt one’s customers and oneself.



If you’ve got a business with a digital component--as just about every company has these days--take heed. Panera is not unique; you can learn from its example. These five bullets are a start.

Katie Moussouris, founder and CEO of Luta Security, a vulnerability disclosure and bug bounty consultancy, told Fortune a Twitter direct message that Panera’s shoddy approach to dealing with cybersecurity issues is, unfortunately, all too common among businesses today. “Panera’s reaction of initial suspicion, followed by silence, hoping the researcher would move on, is sadly still prevalent in the majority of companies & governments,” she wrote.

“Vulnerabilities happen to every organization, without exception,” she said. “Being prepared for the inevitable report is just good business.”

Best to put a plan in place now.

See original article on Fortune.com

More from Fortune.com

  • Can AMD Stock Go on a Bull Run Once Again?
    Business
    Motley Fool

    Can AMD Stock Go on a Bull Run Once Again?

    Advanced Micro Devices (NASDAQ: AMD) shares have fallen off a cliff over the past month, as investors are probably concerned about whether it can sustain its rally in the face of a fading tailwind and rising competition. The chipmaker has minted a lot of money thanks to cryptocurrency mining, but that catalyst is fizzling out and rival NVIDIA (NASDAQ: NVDA) has launched a new generation of graphics chips to reclaim its lost market share. AMD blames weak GPU sales to the cryptocurrency market for this slowdown, but recent developments indicate that it could easily surpass the low-balled guidance.

  • Which Canadian Marijuana Stock Will Enjoy a Bigger Bump From Its NYSE Listing -- Aphria or Aurora?
    Business
    Motley Fool

    Which Canadian Marijuana Stock Will Enjoy a Bigger Bump From Its NYSE Listing -- Aphria or Aurora?

    Maybe Wall Street should be called "Weed Street." Big Canadian marijuana grower Canopy Growth listed its stock on the New York Stock Exchange (NYSE) earlier this year. Aurora Cannabis (NASDAQOTH: ACBFF) begins trading on the NYSE on Tuesday, Oct. 23. Aphria (NASDAQOTH: APHQF) filed last week to list its stock on the NYSE.

  • Better Buy: Ford Motor Company vs. General Motors
    Business
    Motley Fool

    Better Buy: Ford Motor Company vs. General Motors

    Both Ford Motor Company (NYSE: F) and General Motors (NYSE: GM) have been investor favorites in the not-too-distant past, and both pay good dividends. Ford has a slew of new products on the way, starting with a brand-new Ranger pickup early next year. Ford and GM have both had a rough year in the stock market.

  • Kamala Harris proposes new tax credit
    Politics
    Fox Business Videos

    Kamala Harris proposes new tax credit

    “Bulls & Bears” panel discusses how Sen. Kamala Harris (D-Calif.) is proposing a new tax credit, which would provide families making less than $100,000 a year with an extra $500 a month.

  • This Warren Buffett Stock Is Dirt Cheap Right Now
    Business
    Motley Fool

    This Warren Buffett Stock Is Dirt Cheap Right Now

    Warren Buffett has amassed a large portfolio of bank stocks for Berkshire Hathaway (NYSE: BRK-A) (NYSE: BRK-B) with major holdings in Bank of America (NYSE: BAC), Wells Fargo (NYSE: WFC), and American Express (NYSE: AXP), just to name a few of the most well-known and largest investments. Synchrony is a major issuer of store-branded credit cards and also operates a rapidly growing online banking platform.

  • Sears Holdings Hopes to Live On After Bankruptcy. Here's Why It Won't
    Business
    Motley Fool

    Sears Holdings Hopes to Live On After Bankruptcy. Here's Why It Won't

    The bankruptcy filing everyone saw coming finally arrived. Sears Holdings (NASDAQ: SHLD) announced early Monday morning it was seeking Chapter 11 protection and had arranged financing that would allow it to keep operating, at least through Christmas. While other businesses have reorganized and emerged successfully while under the protection of the bankruptcy courts, including retailers like Payless ShoeSource, True Religion, and Gymboree, don't expect the same of Sears.

  • 3 Dividend Stocks That Pay You More Than Coca-Cola Does
    Business
    Motley Fool

    3 Dividend Stocks That Pay You More Than Coca-Cola Does

    With a better than 50-year history of paying dividends, Coca-Cola (NYSE: KO) is seen as an icon of stable, strong, secure payouts. Although Coke and its dividend are not in trouble, there are better investments to be found. Three stocks that these Motley Fool contributors particularly like are Dominion Energy (NYSE: D), AbbVie (NYSE: ABBV), and MGM Growth Properties (NYSE: MGP).

  • Hate Taxes? 37 States Make Social Security Tax Free
    Business
    Motley Fool

    Hate Taxes? 37 States Make Social Security Tax Free

    Over the course of your career, you'll probably have tens of thousands of dollars in Social Security payroll taxes withheld from your paychecks. Workers are confident that by paying those taxes up front, they'll be able to collect Social Security benefits

  • Better Buy: Aurora Cannabis Inc. vs. Canopy Growth Corporation
    Business
    Motley Fool

    Better Buy: Aurora Cannabis Inc. vs. Canopy Growth Corporation

    Canadian marijuana producers have entered a new era. After several years of supplying medical marijuana nationwide, they have begun moving into Canada's recreational marijuana market, which opened on Oct. 17. Canopy's share price has soared three times higher than Aurora's has.

  • With crude around $70, it’s time to sell your oil stocks
    News
    MarketWatch

    With crude around $70, it’s time to sell your oil stocks

    The energy sector has been whipsawed by headlines lately, and many investors can’t decide whether to buy or sell oil stocks. When oil (CLX8) raced up to a new 52-week high of more than $76 to start October, many thought things looked great. Then as U.S. oil supplies rose and as OPEC production rose, things didn’t look so hot.

  • The ‘smart money’ says it’s time to buy the Chinese internet giants and the U.S. FAANGs
    News
    MarketWatch

    The ‘smart money’ says it’s time to buy the Chinese internet giants and the U.S. FAANGs

    When the media and investors turn negative on stocks but the “smart money” is bullish, it’s a good time to think about buying. After all, exactly what is the smart money, and how do you know? Lately, several fund managers who pass this test have been pounding the table on Chinese internet names.

  • Suze Orman has a killer question for your retirement
    Business
    MarketWatch

    Suze Orman has a killer question for your retirement

    Suze Orman is one of those singular personalities in the financial business who seems to be right on the pulse of everyone she meets. She’s written books, starred in her own television show and made innumerable appearances in person. Like Oprah

  • Jackpot stocks that could make you a billionaire
    GILD
    CNBC Videos

    Jackpot stocks that could make you a billionaire

    Following on the Mega Millions madness, the traders give you stocks that could make you a billionaire. With CNBC's Frank Holland and Melissa Lee, and the Fast Money traders, Tim Seymour, Steve Grasso, Brian Kelly and Dan Nathan.

  • How the Heck Did Netflix Stock Go Down Last Week?
    Business
    Motley Fool

    How the Heck Did Netflix Stock Go Down Last Week?

    Everything seemed to go right for Netflix (NASDAQ: NFLX) last week. It has another hit on its hands with The Haunting of Hill House, an eight-part horror series based on Shirley Jackson's novel that has even won the praise of the immortal Stephen King. Netflix is killing it, but investors are unfortunately singing a different tune.

  • 3 Top Stocks Under $5
    Business
    Motley Fool

    3 Top Stocks Under $5

    If you're looking for cheap stocks, focusing too much on share price is a mistake. Companies like Zynga (NASDAQ: ZNGA), Chesapeake Energy (NYSE: CHK), and Ascena Retail Group (NASDAQ: ASNA) have mounted impressive comebacks over the past year, and the future could hold even further gains if the industry conditions that they face take a turn for the better.

  • 3 Top High-Yield Tech Stocks
    Business
    Motley Fool

    3 Top High-Yield Tech Stocks

    A mere decade ago, it would have been unheard of to search for high-yielding investments in the technology sector. In the years since, the technology sector continues to boast high-yielding stocks. Read on to determine why our Motley Fool contributors chose Cisco Systems (NASDAQ: CSCO), Uniti Group (NASDAQ: UNIT), and Verizon Communications (NYSE: VZ) as three high-yielding tech companies for your portfolio.

  • 3 Stocks to Supplement Your Social Security Income
    Business
    Motley Fool

    3 Stocks to Supplement Your Social Security Income

    Social Security isn't meant to replace your entire paycheck. Enterprise Products Partners L.P. (NYSE: EPD), Duke Energy Corporation (NYSE: DUK), and W.P. Carey Inc. (NYSE: WPC) are three great options to consider. Enterprise Products Partners is one of the largest midstream energy companies in North America, offering a generous distribution yield of roughly 6%.

  • 3 Great Stocks Under $10
    Business
    Motley Fool

    3 Great Stocks Under $10

    Among the stocks you can currently purchase for less than $10 per share are Sirius XM Holdings (NASDAQ: SIRI), Annaly Capital Management (NYSE: NLY), and Infosys (NYSE: INFY), and below, we'll take a look at how long they're likely to remain this cheap for would-be investors. Sirius XM was a pioneer in the satellite radio industry, and it's been an investor favorite for years.

  • 3 Warren Buffett Stocks Worth Buying Now
    Business
    Motley Fool

    3 Warren Buffett Stocks Worth Buying Now

    Known as the Oracle of Omaha, Warren Buffett has collected both an incredible investment record and a deservedly vast following among investors of all types. Every move he makes is scrutinized in the hope of gleaning  wisdom from his investment choices.

  • Bitcoin Hits New Yearly Low Volume, Only Way to Reverse Trend is a Big Spike
    Business
    CCN

    Bitcoin Hits New Yearly Low Volume, Only Way to Reverse Trend is a Big Spike

    Over the past 24 hours, Bitcoin has achieved a new yearly low volume, demonstrating a lack of momentum and strength to recover to the higher region of $6,000. On Coinmarketcap, the volume of Bitcoin fell to $3.1 billion while it fell to $1.91 billion on CoinCap. The previous yearly low point of the Bitcoin volume was $3.2 billion on Coinmarketcap and $2 billion on CoinCap.

  • 3 Energy Stocks You Can Buy and Hold for the Next Decade
    Business
    Motley Fool

    3 Energy Stocks You Can Buy and Hold for the Next Decade

    North America needs to build $23 billion of new natural gas-related infrastructure annually through 2035, according to a recent report. Three of the best positioned to capture this growth are Kinder Morgan (NYSE: KMI), Williams Companies (NYSE: WMB), and TransCanada (NYSE: TRP), making them great stocks to buy and hold in the coming decade. Kinder Morgan is already the largest natural gas pipeline company in North America, operating roughly 70,000 miles of pipeline.

  • Here's Which Marijuana Stocks Investors Are Betting Against the Most
    Business
    Motley Fool

    Here's Which Marijuana Stocks Investors Are Betting Against the Most

    Canada's recreational marijuana market is now open for business. Some are confident enough that certain marijuana stocks will fall that they're putting a lot of money on the line expecting that's exactly what will happen. The marijuana grower's low stock float and wild swings over the last month have received a lot of attention.

  • Netflix to Investors: Get Ready For More Cash Burn
    Business
    Motley Fool

    Netflix to Investors: Get Ready For More Cash Burn

    Netflix (NASDAQ: NFLX) investors have been giving the streamer another round of applause since the latest earnings report. It was an all-around solid report: Total subscriber growth easily beat estimates, with the company adding 7 million members against a forecast of just 5 million. Netflix naysayers, however, will find more to complain about in the company's cash burn rate, as management gave them more fodder with its forecast.

  • Are the Bulls or Bears Right About Philip Morris International?
    Business
    Motley Fool

    Are the Bulls or Bears Right About Philip Morris International?

    Shares of Philip Morris International (NYSE: PM) rose 4% on Oct. 18 after the tobacco giant posted third quarter numbers that topped analysts' expectations. For the full year PMI expects its revenue to rise approximately 3% on a constant currency basis, and for its earnings to grow 8% to 9% on the same basis. What the bulls say...

  • This Midstream Oil & Gas Stock Is Still a Steal
    Business
    Motley Fool

    This Midstream Oil & Gas Stock Is Still a Steal

    The midstream sector is out of favor today, with the Alerian MLP ETF still off roughly 45% from its mid-2014 highs. Midstream companies own the assets that move oil, natural gas, and related products around the country. Investors were pretty excited about this space a few years back, pushing the prices of midstream companies higher and their yields lower.