Consumer Rights Wiki

Panera's failure to disclose a known security breach: Difference between revisions

← Older edit
VisualWikitext
SquidthePlummer (talk | contribs)
confirmed
590 edits
m used galleries
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Cleanup}}
{{IncidentCargo
{{IncidentCargo
|Company=Panera Bread
|Company=Panera Bread
|StartDate=2017-08-02
|StartDate=2 August 2017
|EndDate=2018
|EndDate=2018
|Status=Resolved
|Status=Resolved
|Type=Security
|Type=Security
|Description=Company ignored security risks for 8 months, affecting 37 million users.
|Description=Company ignored security risks for 8 months, affecting 37 million users.
}}{{Cleanup}}
}}
 
Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web |last=Ms. |first=Smith |date=3 April 2018 |title=Panera Bread blew off breach report for 8 months, leaked millions of customer records |url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html |url-status=live |archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html |archive-date=18 June 2025 |access-date=29 March 2026 |website=CSO}}</ref><ref>{{Cite web |last=Chappell |first=Bill |date=3 April 2018 |title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records |url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records |url-status=live |archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records |archive-date=17 July 2025 |access-date=29 March 2026 |website=NPR}}</ref>
Back in 02 August 2017, security researcher Dylan Houlihan notified [[Panera Bread]] of the breach that allowed hackers to access over 37 million customers personal information via its website, however the company wouldn't take any action until 8 month later on 02 April 2018. This would eventually result in a lawsuit 3 days later, however it was eventually dismissed by the plaintiffs on June 2018.<ref>{{Cite web |last=Ms. |first=Smith |date=3 April 2018 |title=Panera Bread blew off breach report for 8 months, leaked millions of customer records |url=https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html |url-status=live |archive-url=https://web.archive.org/web/20250618211944/https://www.csoonline.com/article/565050/panera-bread-blew-off-breach-report-for-8-months-leaked-millions-of-customer-records.html |archive-date=18 June 2025 |access-date=29 March 2026 |website=CSO}}</ref><ref>{{Cite web |last=Chappell |first=Bill |date=3 April 2018 |title=For Months, Panera Bread Website Reportedly Exposed Millions Of Customer Records |url=https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records |url-status=live |archive-url=https://web.archive.org/web/20250717104401/https://www.npr.org/sections/thetwo-way/2018/04/03/599135288/for-months-panera-bread-website-reportedly-exposed-millions-of-customer-records |archive-date=17 July 2025 |access-date=29 March 2026 |website=NPR}}</ref>
==Original Contact==
==Original Contact==
On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web |last=Houlihan |first=Dylan |date=3 April 2018 |title=No, Panera Bread Doesn’t Take Security Seriously |url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |url-status=live |archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |archive-date=3 April 2018 |access-date=29 March 2026 |website=Medium}}</ref><ref>{{Cite web |last=Krebs |first=Brian |date=2 April 2018 |title=Panerabread.com Leaks Millions of Customer Records |url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |url-status=live |archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |archive-date=2 April 2018 |access-date=29 March 2026 |website=KrebsOnSecurity}}</ref>
On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web |last=Houlihan |first=Dylan |date=3 April 2018 |title=No, Panera Bread Doesn’t Take Security Seriously |url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |url-status=live |archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |archive-date=3 April 2018 |access-date=29 March 2026 |website=Medium}}</ref><ref>{{Cite web |last=Krebs |first=Brian |date=2 April 2018 |title=Panerabread.com Leaks Millions of Customer Records |url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |url-status=live |archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |archive-date=2 April 2018 |access-date=29 March 2026 |website=KrebsOnSecurity}}</ref>
[[File:Pandera Bread hack on website.png|thumb|Hacked Website]]
<gallery>
[[File:Panera Bread first email.png|center|thumb|First Response ]]
File:Panera Bread hack on website.png|Hacked Website
File:Panera Bread first email.png|First Response
</gallery>




The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email.
The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email.
[[File:Panera Bread third email.png|thumb|PGP Received]]
<gallery>
[[File:Panera Bread secound email.png|left|thumb|Second Email]]
File:Panera Bread third email.png|PGP Received
[[File:Panera Bread fourth email.png|center|thumb|250x250px|Fourth Email]]
File:Panera Bread second email.png|Second Email
 
File:Panera Bread fourth email.png|Fourth Email
</gallery>




Line 33: Line 39:


==Lawsuit==
==Lawsuit==
{{Ph-I-L}}
On 04 May 2018, plaintiff Alisha Boykin, Kristen Hansen, Tracy Mangano, Amy Dittbenner, Lara Sulelman, and Dusica Perez file a class action lawsuit against Panera for failure to investigate and alert customers of the data breach, claiming "Panera has taken no other efforts since discovering the security breach to inform customers that their Personal Identifying Information was leaked and/or compromised.”<ref>{{Cite web |last=Shaak |first=Erin |date=6 April 2018 |title=Panera Bread Facing Lawsuit Over Potential Security Breach |url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach |url-status=live |access-date=29 March 2026 |website=ClassAction}}</ref> The case was voluntary dismissed without prejudice by the plaintiffs on June 2018 due to lack of affiliation with the data breach.<ref>{{Cite web |last=Bucher |first=Anne |date=7 June 2018 |title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs |url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ |url-status=live |access-date=29 March 2026 |website=Top Class Action}}</ref>


<ref>{{Cite web |last=Shaak |first=Erin |date=6 April 2018 |title=Panera Bread Facing Lawsuit Over Potential Security Breach |url=https://www.classaction.org/blog/panera-bread-facing-lawsuit-over-potential-security-breach |url-status=live |access-date=29 March 2026 |website=ClassAction}}</ref><ref>{{Cite web |last=Bucher |first=Anne |date=7 June 2018 |title=Panera Data Breach Class Action Voluntarily Dismissed by Plaintiffs |url=https://topclassactions.com/lawsuit-settlements/lawsuit-news/panera-data-breach-class-action-voluntarily-dismissed-plaintiffs/ |url-status=live |access-date=29 March 2026 |website=Top Class Action}}</ref>
==Consumer response==
==Consumer response==
{{Ph-I-ConR}}
{{Ph-I-ConR}}
Line 41: Line 46:
{{reflist}}
{{reflist}}
[[Category:Panera Bread]]
[[Category:Panera Bread]]
[[Category:2017 incidents]]
Retrieved from "https://consumerrights.wiki/w/Panera%27s_failure_to_disclose_a_known_security_breach"