[BreachExchange] Panera’s Breach And The Knead For National Notification

Inga Goddijn inga at riskbasedsecurity.com
Mon Apr 16 16:52:59 EDT 2018


https://www.jdsupra.com/legalnews/panera-s-breach-and-the-knead-for-68829/

Eight months after a significant data breach involving customer data was
reported to Panera Bread company by a security researcher and within a day
of an article being published laying out the nature and extent of the breach
<http://,%20https://krebosonsecurity.com/2018/04/panerabread-com-leaks-millions-of-customer-records>,
the company on April 2, 2018 acknowledged the data leak.  However, it
insisted that fewer than 10,000 consumers had been affected in contrast to
the more than 7 million customers several security researchers estimate
were affected.

The story is not so much the vulnerability in Panera’s online food ordering
system that exposed the customer’s information, nor the fact that Panera
may not have been aware of the breach before the researcher contacted it,
but rather about Panera’s delay disclosing the breach and its refusal to
acknowledge the magnitude of the customer information leaked. Panera is
likely to become the poster child for what not to do in addressing a data
breach.  For example, Panera does not have a dedicated method to accept
vulnerability reports from security researchers, it ignored numerous
communications from the security researcher that attempted to alert the
company to the breach and became defensive about his report, including
accusing the security researcher of being a scammer of some sort.  Perhaps
the greatest surprise is it waited eight months to acknowledge the leak and
to set about fixing it.  In the meantime more customers were likely
affected by the disclosures of personal information. In addition, the
reputational harm to Panera because it failed to respond quickly and
forcefully, could be significant.

A national standard that includes a set notice period for businesses to
disclose data breaches to  customers would have avoided the situation
Panera finds itself in.  The delay could create substantial risk that
customers take legal action against the company.  For nearly the last ten
years many U.S. data security and breach notification laws have been
introduced in the Congress but none have passed.  Currently at least one
Senate and one  House bill have been introduced.  H.R. 5388, the Data
Accountability and Trust Act and S. 2179 the Data Security and Breach
Notification Act have been introduced.  Both bills contain provisions that
generally require consumers to be notified of any breach within 30 days
after its discovery.

Panera is not alone in having delayed in reporting breaches.  Equifax and
Target are among the many in that category.  In fact, in 2017 Uber actually
paid two hackers to keep quiet about a cyberattack that exposed the data of
57 million Uber riders and drivers.  State and federal lawmakers and
security experts all agree that the lack of transparency by businesses,
governmental entities and other organizations is a problem that needs to be
addressed.  While many state legislatures have passed data breach
notification periods, the Congress has been unable to pass legislation to
address this and other issues resulting from the many significant data
breaches that occur almost daily.  While it is not clear that consumers
have changed their online activity because of these breaches, that day may
come.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180416/69fbe2c9/attachment.html>


More information about the BreachExchange mailing list