Panera's failure to disclose a known security breach: Difference between revisions
→Contact with Panera Bread: changed name |
|||
| Line 27: | Line 27: | ||
8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp|X]] (formerly Twitter) refuting the company claims. | 8 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp|X]] (formerly Twitter) refuting the company claims. | ||
[[File:KrebsOnSecurity link showcase.png|thumb|KrebsOnSecurity Link Showcase]] | [[File:KrebsOnSecurity link showcase.png|thumb|KrebsOnSecurity Link Showcase]] | ||
<blockquote>''"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."'' ''"10k records, eh @panerabread ? Isn't that what you told Fox News right after my story ran? Fixed the issue, have you? How do you explain this? <nowiki>https://t.co/tWgSNv71TA</nowiki>"''</blockquote>It was later discovered that the vulnerability affected another one of Panera Breads applications.<blockquote>''"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like <nowiki>https://t.co/rSpkwc3y1v</nowiki>, etc. Only proper response is to deep six entire site"''</blockquote>After several more tweets made by KrebsOnSecurity, Panera Bread would close their website down again | <blockquote>''"Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported."'' ''"10k records, eh @panerabread ? Isn't that what you told Fox News right after my story ran? Fixed the issue, have you? How do you explain this? <nowiki>https://t.co/tWgSNv71TA</nowiki>"''</blockquote>It was later discovered that the vulnerability affected another one of Panera Breads applications.<blockquote>''"Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like <nowiki>https://t.co/rSpkwc3y1v</nowiki>, etc. Only proper response is to deep six entire site"''</blockquote><!-- this claim about the time might be innacurate and needs checking --> | ||
After several more tweets made by KrebsOnSecurity, Panera Bread would close their website down again for a few hours displaying this message. | |||
[[File:Panera Bread second website takedown notice.png|center|thumb|Website Second Take down notice]] | [[File:Panera Bread second website takedown notice.png|center|thumb|Website Second Take down notice]] | ||