Security firm: Panera Bread website still vulnerable

A second security expert, whose Milwaukee firm found flaws at Equifax and uncovered a massive Russian hacking ring, has raised questions about the vulnerability of Panera Bread’s website.

Panera Bread, in a statement released Monday, said the restaurant company fixed security issues to its website after learning of a potential security threat that same day.

But, Alex Holden, founder and chief information security officer at Hold Security, said that Panera Bread’s initial repair did not go far enough.

“I believe that the fix applied last night mitigated the immediate issue with exposure,” he told Nation’s Restaurant News in an email.

“However, looking at my personal setting account on Panera site, I noticed a number of serious vulnerabilities and exposures that are unbecoming to a site like Panera’s and the data it is set to protect.”

Hold Security provides security needs such as deep web monitoring and post-breach investigations to companies.  Last September, the firm uncovered a critical password flaw within a portal site run by Equifax in Argentina. That discovery came shortly after Equifax announced a massive breach that exposed the personal data of 143 million customers.

Holden’s firm has also been credited for discovering in 2014 a Russian crime ring that “amassed the largest known collection of stolen Internet credentials,” according to the New York Times.

Holden said he began researching Panera’s site after he was alerted by Brian Krebs, a cyber security blogger and former Washington Post investigative journalist.

Panera Bread was thrust into the spotlight this week after Krebs broke the news that the fast-casual chain potentially exposed millions of customers’ personal data such as partial credit card information.

Furthermore, Krebs said Panera Bread took months to address the problem. The company was first warned about the security issue in August by New York area security researcher Dylan Houlihan. Houlihan tipped off Krebs about the data breach, and the lack of company response.

Panera Bread said the problem was resolved this week. The restaurant chain has not responded to NRN’s request for additional comment, including why the company didn’t act last summer when the flaws were first brought the chain’s attention.

Houlihan, a managing principal at security consulting firm in the greater New York area, said he warned a high level Panera security executive of the problem last year.  The website flaws revealed the full names, addresses, emails and last four digits of customer credit card numbers, Houlihan said.

When St. Louis-based fast-casual leader didn’t fix the problem for months, Houlihan said, he brought the story to Krebs.

After Krebs’ article ran on Monday, Panera told media outlets that the issue was repaired.

The chain, owned by JAB Holding Co., said it is continuing to investigate the issue; however, “there is no evidence of payment card information nor a large number of records being accessed or retrieved,” the company said in a statement.

Panera claims fewer than 10,000 consumers have been potentially affected.

Holden doesn’t agree. He said the flaws stretched to various parts of the company’s portals including anyone registered with its loyalty program and anyone who ordered delivery or catering. After crunching the numbers, he said exposure is more likely in the millions — possibly as high as 41 million, rather than 10,000 as stated by Panera.

“Panera PR misstated the scope of the exposure by several orders of magnitude and their technical staff failed to fix the root cause of the issue,” he said.

Comments

comments