Panera's failure to disclose a known security breach: Difference between revisions
→Lawsuit: added 2018 |
m used galleries |
||
| Line 13: | Line 13: | ||
==Original Contact== | ==Original Contact== | ||
On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web |last=Houlihan |first=Dylan |date=3 April 2018 |title=No, Panera Bread Doesn’t Take Security Seriously |url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |url-status=live |archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |archive-date=3 April 2018 |access-date=29 March 2026 |website=Medium}}</ref><ref>{{Cite web |last=Krebs |first=Brian |date=2 April 2018 |title=Panerabread.com Leaks Millions of Customer Records |url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |url-status=live |archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |archive-date=2 April 2018 |access-date=29 March 2026 |website=KrebsOnSecurity}}</ref> | On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.<ref>{{Cite web |last=Houlihan |first=Dylan |date=3 April 2018 |title=No, Panera Bread Doesn’t Take Security Seriously |url=https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |url-status=live |archive-url=https://web.archive.org/web/20180403023125/https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815 |archive-date=3 April 2018 |access-date=29 March 2026 |website=Medium}}</ref><ref>{{Cite web |last=Krebs |first=Brian |date=2 April 2018 |title=Panerabread.com Leaks Millions of Customer Records |url=https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |url-status=live |archive-url=https://web.archive.org/web/20180402220110/https://krebsonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records/ |archive-date=2 April 2018 |access-date=29 March 2026 |website=KrebsOnSecurity}}</ref> | ||
<gallery> | |||
File:Panera Bread hack on website.png|Hacked Website | |||
File:Panera Bread first email.png|First Response | |||
</gallery> | |||
The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email. | The next day, the company responded back, perceiving the message as spam and a attempt at a "sales pitch", suggesting a "better approach" due to demanding a PGP key to be "not a good way to start off". Couple hours later, Dylan Houlihan responded by stating he didn't make any attempts at a sales pitch, along with asking to send the vulnerability information via PGP or email. | ||
<gallery> | |||
File:Panera Bread third email.png|PGP Received | |||
File:Panera Bread second email.png|Second Email | |||
File:Panera Bread fourth email.png|Fourth Email | |||
</gallery> | |||
| Line 43: | Line 46: | ||
{{reflist}} | {{reflist}} | ||
[[Category:Panera Bread]] | [[Category:Panera Bread]] | ||
[[Category:2017 incidents]] | |||