Panerabread.com Leaks Millions of Customer Records

It has been reported that Panerabread.com, the Web site for the American chain of bakery-cafe restaurants, has leaked customer records.

In response to the news that Panerabread.com leaked millions of customer records for at least eight months before it was taken offline, Terry Ray, CTO of Imperva, said:"It’s never a good day for companies when there is a proven data breach or data made available long-term, as the Federal Trade Commission can easily get involved and ask simple questions to which you don’t have complete answers.  Was personal and credit card data exposed to the internet? Was any of it taken? How much data was stolen? Where did it go?  When was it taken?  

"Law enforcement will need to find proof that data was stolen before levying fines or requiring identity theft protection for consumers, but past situations have shown that the FTC doesn’t have to find every record on the web, they just have to find some, then it’s up to the victim company to prove how many records were taken.  Also, I expect PCI regulators will question any PCI audits done since August looking for passes on application security, code review and code correction.

"Panera appears to have had an application security practice in place, so any investigation will likely spend time understanding what Panera monitored of normal versus abnormal activity, did they have a regularly scheduled security assessment run against their public websites, and did they correct poor coding practices once found.  

"It seems at a minimum, they failed to either believe and test the first finding of this breach in August and quickly rectified the issue once it went public here in April.  They certainly appear capable of fixing the issue as they did quickly today, so why didn’t it happen in August when they were first alerted."

Also Read

Stay in the know with our newsletter