Panera's failure to disclose a known security breach: Difference between revisions

← Older edit Newer edit →

VisualWikitext

@@ Line 1: / Line 1: @@
-#REDIRECT [[Panera's failure to disclose a known security breach]]{{IncidentCargo
+{{IncidentCargo
 |Company=Panera Bread
 |StartDate=2017-08-02
@@ Line 22: / Line 22: @@
 https://medium.com/@djhoulihan/no-panera-bread-doesnt-take-security-seriously-bf078027f815
-==Contact with Panera Bread==
+== Contact with Panera Bread ==
 On 02 August 2017, Security Researcher Dylan Houlihan first contacted Panera Bread security director Mike Gustavison of a breach after finding it accidentally through their website, containing customers accounts information that includes full name, home address, email address, food preferences, username, phone number, birthday and last four digits of a debit/credit card in plain text.
 [[File:Pandera Bread hack on website.png|thumb|Hacked Website]]
@@ Line 36: / Line 36: @@
 On the same day, the company send the researcher the PGP key, after which he sends the report to Panera Bread and in a follow up reply, ask if the company was successful in decrypting the report, however the company didn't respond. Dylan Houlihan would sent several more responses asking for confirmation of successfully decrypting the PGP key, eventually receiving a response on 09 August confirming the decryption.
-==Incident==
+== Incident ==
 [[File:Panera Bread website takedown notice.png|thumb|Website Take down notice]]
 months later on 02 April 2018, Dylan Houlihan would inform KrebsOnSecurity and Troy Hunt, with Krebs eventually taking on the offer and contacting Panera Bread chief information officers. After contact, Panera Bread website was taken down for about an hour to fix the vulnerability, eventually releasing a statement, stating that the issued has been solved within 2 hours and showcasing their commitment to security.<blockquote>''"Panera takes data security very seriously and this issue is resolved. Following reports of today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being access or retrieved."''</blockquote>KrebsonSecurity would respond to this statement soon after on [[X Corp|X]] (formerly Twitter).<blockquote>''"Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? <nowiki>https://t.co/AJeiq6Dfd0</nowiki>"''</blockquote>On the same day, KrebsOnSecurity release their report and within 5 minute Panera Bread would release another statement, stating that less than 10,000 were affected by the incidents;<blockquote>''" Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps"''</blockquote>Soon after Panera Bread announcement, it was discovered that the patch wasn't fixed, with KrebsOnSecurity making a post on [[X Corp|X]] (formerly Twitter) refuting the company claims.
@@ Line 52: / Line 52: @@
 {{Ph-I-ConR}}
 ==References==
-{{reflist}}{{DEFAULTSORT:Panera's failure to disclose a known security breach}}
+{{reflist}}
 [[Category:Panera Bread]]