• Panera accused security researcher of "scam" when he reported a major f

    From Nomen Nescio@21:1/5 to All on Thu Apr 5 23:44:43 2018
    XPost: co.food, rec.food.cooking, stl.dining
    XPost: comp.security.misc

    For the record, Panera uses Ubuntu, CentOS, RedHat, Ansible,
    Chef, Puppet, Docker, Red Hat Cloud Forms, VMware, OpenStack, or
    Cloud Management platform technology

    Panera didn't fix flaw for 8 months; 37 million records were
    allegedly exposed.

    Eight months ago, Panera Bread was notified of a security flaw
    that was leaking customer information to anyone who knew where
    to look for it. But the company failed to fix the flaw until
    this week after the breach was made public in a report
    suggesting that it affected 37 million customer records.

    Panera Bread said this week that the leak affected fewer than
    10,000 consumers and that it has been fixed. But security
    reporter Brian Krebs and the security researcher who notified
    Panera of the breach last year disputed that account. They say
    that millions of customer records were available online and that
    they remained available at publicly accessible URLs after Panera
    said the flaw was fixed. Those URLs appear to have finally been
    scrubbed of the customer information, as they now produce error
    messages instead of customer data.

    The records "could be indexed and crawled by automated tools
    with very little effort," Krebs wrote yesterday. Leaked data
    included Panera customers' loyalty card numbers, "which could
    potentially be abused by scammers to spend prepaid accounts or
    to otherwise siphon value from Panera customer-loyalty
    accounts," he wrote.

    Leaked data also included usernames, first and last names, email
    addresses, phone numbers, birthdays, the last four digits of
    credit card numbers, home addresses, social account integration
    information, and saved food preferences and dietary
    restrictions, according to security researcher Dylan Houlihan.

    Before being taken down, the URLs showed customer data in this

    https://cdn.arstechnica.net/wp-content/uploads/2018/04/panera- customer-data-640x304.jpg

    According to Houlihan, the flaw "let anyone search by a variety
    of customer attributes, including phone number, email address,
    physical address, or loyalty account number." In the example
    above, "the phone number was a main line at an office building
    where many different employees apparently registered to order
    food online."

    Panera ignored email, saying it looked like a scam
    Houlihan notified Panera about the data leak on August 2, 2017,
    telling the company that its delivery website "exposes sensitive
    information belonging to every customer who has signed up for an
    account to order Panera Bread online." Panera has more than
    2,000 stores nationwide and annual sales of more than $5 billion.

    Houlihan offered to send Panera more details on the flaw in an
    encrypted format if the company was willing to provide a PGP
    key. Houlihan also offered to send the information via
    unencrypted email or discuss it in a phone call.

    In response, Panera Information Security Director Mike
    Gustavison accused Houlihan of trying to scam the company,
    according to screenshots of emails published by Houlihan in his
    blog post yesterday.

    Here was Gustavison's response:

    My team received your emails however it was very suspicious and
    appeared scam in nature therefore was ignored. If this is a
    sales tactic I would highly recommend a better approach as
    demanding a PGP key would not be a good way to start off. As a
    security professional you should be aware that any organization
    that has a security practice would never respond to a request
    like the one you sent. I am willing to discuss whatever
    vulnerabilities you believe you have found but I will not be
    duped, demanded for restitution/bounty, or listen to a sales

    The email screenshots don't show Houlihan trying to sell
    anything—he was privately notifying Panera of a flaw that leaked
    the data of many customers, including his own. As a security
    professional himself, Houlihan noted that he would not start a
    conversation about a potential security flaw "by being

    Gustavison eventually provided a PGP key and Houlihan sent the
    detailed information in an encrypted message. Houlihan sent
    several followup emails without getting a response but then
    received a reply from Gustavison on August 9 saying that the
    company was "working on a resolution."

    "[A]fter I was reassured this would be fixed, I checked on this
    vulnerability every month or so because my own data is in there,
    which means I'm personally affected by it," Houlihan wrote. "So
    I personally know for a fact that it was never patched in the
    interim. And even if it was, that it would be fixed and
    inadvertently reintroduced is nearly as bad as not fixing it at
    all. But I held off on doing anything, deciding to let them
    proceed. Eight months go by."

    “Panera takes data security very seriously”
    Frustrated by the lack of a fix, Houlihan finally reached out to
    Krebs and security expert Troy Hunt. An article published by
    Krebs yesterday spurred Panera to take action, at least on the
    public relations front.

    "Panera takes data security very seriously, and this issue is
    resolved," Panera Bread Chief Information Officer John Meister
    told Fox in this article yesterday.

    Panera said there was no evidence of payment card information
    being leaked and that "[o]ur investigation to date indicates
    that fewer than 10,000 consumers have been potentially affected
    by this issue."

    Krebs disputed Panera's attempt to downplay the story last
    night. In an update to his article, he wrote that Panera
    "basically 'fixed' the problem by requiring people to log in to
    a valid user account at panerabread.com in order to view the
    exposed customer records (as opposed to letting just anyone with
    the right link access the records)."

    Troy Hunt
    “Panera takes data security very seriously” - Bull. Shit.

    This is the sort of incident regulators need to throw the book
    at. It’s one thing to have a vulnerability, but it’s quite
    another to ignore it *and* claim you’re taking it seriously. https://twitter.com/briankrebs/status/980923452638027777

    3:47 PM - Apr 2, 2018 · Keauhou, HI
    188 people are talking about this

    Krebs also tweeted links that, he said, showed the breach
    affected 37 million customer records.

    The links provided by Krebs now result in error messages.

    "I'm not aware of any of the flaws that I saw yesterday still
    existing on the site," Krebs told Ars today.

    Krebs said his own testing "seems to indicate the issues I
    raised are no longer issues." But he added that "only Panera can
    really tell you if they've fixed it."

    Ars has emailed Panera's public relations department and
    Gustavison, and we will update this story if we receive more
    information. Among other things, we asked Panera how it
    determined that fewer than 10,000 consumers were affected.

    Houlihan was disappointed in Panera's response to the security
    flaw and the company's attempt to downplay the flaw's severity
    in public statements.

    "Until we start holding companies more accountable for their
    public statements with respect to security, we will continue to
    see statements belying a dismissive indifference with PR speak,"
    Houlihan wrote. "In the words of Troy Hunt, when Panera Bread
    says, 'We take security seriously', they mean, 'We didn't take
    it seriously enough.'"

    https://arstechnica.com/information-technology/2018/04/panera- accused-security-researcher-of-scam-when-he-reported-a-major-

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)