Panera Bread Security Lesson: Rise to the ChallengeLeaving API Endpoint Exposed After Researcher's Alert Was Recipe for Failure
Panera Bread, the well-known U.S. bakery café chain, appears to have failed to fix a customer data leak for more than eight months after getting a heads-up from a security researcher that one of the company's internet-connected API endpoints was exposing customer data (see: Panera Bread Data Leak Persisted For Eight Months).
See Also: You've Got BEC!
As with so many information security stumbles, the incident offers numerous lessons to help organizations avoid a similar fate, and not just organizations that peddle sandwiches, bread and soup.
"Boards and C-suites have got to do more here to make sure ... the proper culture exists within the corporate ranks to include cybersecurity in the DNA of the company."
Here are three essential takeaways:
1. Review Your Cybersecurity Culture
All firms should review their own policies, procedures - and really, culture - to make sure they wouldn't make the same type of mistake that Panera appears to have made, says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors, a cybersecurity consultancy.
"If the facts play out as reported - i.e. that Panera had eight months of knowledge of data leakage and did nothing to spring into action - then I think this may go beyond technical issues and may be more of a cultural or governance issue," Pierson tells me.
"The possibility that a company was warned about data leakage that could be independently verified and may have done nothing over the course of several months really stains the reputation of the CISO who's on the frontlines every day," he says. "Boards and C-suites have got to do more here to make sure the right risks are understood and dimensioned, governance exists and is well-tuned, and the proper culture exists within the corporate ranks to include cybersecurity in the DNA of the company."
2. Listen to Researchers
It's not clear how long Panera Bread's data leak persisted. Dylan Houlihan, the security researcher who discovered the problem and reported it to the restaurant chain in August 2017, only to find it remained unfixed eight months later, also reported getting a frosty response to his initial tipoff. According to emails published by Houlihan, Mike Gustavison, Panera Bread's director of information security, told him he initially thought the data-leak alert was a scam.
One takeaway from this interchange: Give security researchers a dedicated way to notify your organization about flaws as well as a checklist for how they should do so. Ideally, this information page for researchers should be a stand-alone page on your organization's website, with a dedicated email address as well as recourse to your firm's security-reporting PGP key.
3. Launch a Bug Bounty Program
Even better, create a formal bug bounty program with a partner, such as Bugcrowd or HackerOne, as many firms have now done (see: Microsoft Offers Payouts for New Spectre, Meltdown Flaws).
Launching these types of programs lets the bug bounty provider handle researchers' inquiries and reports while also demonstrating that your organization takes the work of independent information security researchers seriously.
Because if your organization doesn't take this step, it's going to look like an amateur, especially if your missteps in any way have customer data repercussions.
Or Else: 3, 2, 1 and Lawsuit
Organizations that fail to give security researchers an easy way to report problems, and which do not fix such problems in a timely manner, can expect some easy to predict consequences.
Shareholder ire is one. Luckily for Panera Bread, as of last July the company is no longer publicly traded, having been acquired by JAB Consumer Fund and JAB Holding Co. So the company won't face potential shareholder actions or a U.S. Securities and Exchange investigation into its data leak.
But it's a virtual certainty that Panera Bread will face breach-related lawsuits seeking class-action status. That's what has happened after many other breaches, including those that hit Ashley Madison, Equifax and Intel, among dozens of others (see: Federal Judge: Yahoo Breach Victims Can Sue).
Temporary Reputation Hit
The bad news for businesses is that data breaches drag companies' reputations through the mud, occasionally resulting in security executives and other members of the management team getting dumped (see:More Questions Raised After Equifax CIO, CSO 'Retire').
The bad news for consumers is that in almost every data breach - except for cryptocurrency exchanges that go bust - any reputational damage is short-term. Breached businesses' stock prices invariably recover within a year (see: Cynic's Guide to the Equifax Breach: Nothing Will Change).
More bad news for customers of breached businesses is that most data breach lawsuits fail due to defendants' inability to prove financial harm. That's due in large part to credit card issuers being legally obliged to compensate cardholders for any fraud (see: Why So Many Data Breach Lawsuits Fail).
But the best news for everyone would be if more organizations simply paid better attention to the work of white-hat security researchers. The flaws they're finding are the same ones that criminals may already be exploiting. So listen up.