No, Panera Bread Doesn’t Take Security Seriously

  1. First, the proof that I reported this, and the beginning of the timeline. I reported this vulnerability in August 2017, which is shown by the following email exchange with Panera Bread’s Information Security Director, Mike Gustavison. After attempting to contact them through a generic email address (which bounced), Twitter and even LinkedIn and email messages to Mike Gustavison (whose information I found on LinkedIn), I was formally introduced by an industry contact who had a mutual connection.
In which I am accused of being a scam artist after sending a polite email informing a security professional of a security vulnerability in their software. Note that I do not, at any time in any email, solicit services or try to deceive.
I receive a PGP key, great.
I send the encrypted report, then follow up. Notice the days passing.
Following up again. More days pass. Finally an explicit acknowledgement. Note — still August, 2017.
Also for the tech savvy, note `echo -n "my name is Dylan Houlihan helloworldfoobar" | openssl dgst -sha256` => 7682200f0cd27a4f1a3c2301941d959aae7abf89136c38a4f1ded4d2bb7a67d7
A company is incompetent enough to leave a gaping hole like this trivially open for eight months after initial notification, yet it’s competent enough to review it logs definitively within two hours of the publicity?
Again, “no evidence of intrusion”, which is parroted from Panera Bread.
This is just incorrect. Most people only ever read the headline, yet this one completely obscures the fact that Panera Bread sat on the vulnerability for eight months.
And there it is, in bold letters and emphasized in quotation — “Panera take data security very seriously and this issue is resolved.
Note the time (Eastern) — this is well after Panera was back up.
So did they just make it up?
That link demonstrates the same same vulnerability on a different API endpoint.
Righteous pun, for what it’s worth.
Again, same vulnerability, different API endpoint.
  1. We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don’t know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.
  2. We need to collectively examine what the incentives are that enabled this to happen. I do not believe it was a singular failure with any particular employee. It’s easy to point to certain individuals, but they do not end up in those positions unless that behavior is fundamentally compatible with the broader corporate culture and priorities.
  3. If you are a security professional, please, I implore you, set up a basic page describing a non-threatening process for submitting security vulnerability disclosures. Make this process obviously distinct from the, “Hi I think my account is hacked” customer support process. Make sure this is immediately read by someone qualified and engaged to investigate those reports, both technically and practically speaking. You do not need to offer a bug bounty or a reward. Just offering a way to allow people to easily contact you with confidence would go a long way.




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AMA with CryptoNesia About YetuSwap

BANANO Monthly Update #20 (February 2020)


Best Organizations that offer IEO Development Services

The Parable of Harshcoin

The Litecoin People, Platform, Wallets, and Miners You Need to Know

Distribution of the 4 Million Yetucoin to the Community

Eggcited about Easter? Join these BANANO Easter Events and Get Free Crypto!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


More from Medium

Ancillery#4 Pandemic Fundamentally Changed How We View Work

Structure, Protocol, and Class in Swift: The differences explained

BRIEF Outline OF THE CRODO Framework:

Uncle Tom’s Cabin