It's the stuff of InfoSec nightmares: you go to your favorite cybersecurity website and the headline says your organization "does not take security seriously."
Next thing you know, your company is in the mainstream news, where stories say your organization was told about a problem and failed to do anything about it for eight months.
And the entire time, customer data—including names, usernames, email addresses, phone numbers, and the last four digits of payment card numbers—was being exposed.
This is what Panera Bread is going through right now.
Panera alerted to problem 8 months before headline
I just finished reading a really interesting post by security researcher Dylan Houlihan, who alerted Panera of the problem that then persisted for eight months.
I'm actually using his headline for my story. But why did he feel the need to write something so harsh? And how can you avoid putting your organization in this spot?
Well, Houlihan reached out very nicely to Panera, never threatening the company or asking for anything in return, and he felt like he was treated unfairly from the start. See this exchange as an example:
Here's how Houlihan responded on his blog, eight months after his initial contact:
"I want to take a moment to say something important. I have worked internally as a security engineer responsible for fielding random security reports like this from the outside. I have also submitted reports like this to companies, in bug bounties and as a courtesy with no expectation of a reward. I have been on both sides of the table. The response I received is not appropriate whatsoever.There is never a reason to begin a conversation like that by being so defensive. I know people send lots of superfluous security reports, because I’ve had to receive them. But I’ve never started the conversation by being antagonistic — this is not an excuse for reacting like that."
Eventually, the company thanked him and said it was working on a fix to the problem.
Security researcher kept looking for a fix
And Houlihan says he kept checking back, giving the company month after month to fix the flaw:
"Now, after I was reassured this would be fixed, I checked on this vulnerability every month or so because my own data is in there, which means I’m personally affected by it. So I personally know for a fact that it was never patched in the interim. And even if it was, that it would be fixed and inadvertently reintroduced is nearly as bad as not fixing it at all. But I held off on doing anything, deciding to let them proceed. Eight months go by."
Negative publicity only thing that lead to resolution
Houlihan got frustrated that so much time had passed with no fix by Panera Bread, so he told Brian Krebs about it.
Krebs broke the story and called the company out, then Panera got negative media coverage and took the website down briefly to apparently fix the issue.
Panera then issued a statement saying, "Panera takes this issue very seriously, and the issue is resolved."
And that's what Houlihan's headline, used for this story, is all about.
It was a response to Panera's fix, which was apparently eight months in the making: "No, Panera Bread Doesn't Take Security Seriously."
Read Houlihan's timeline and post, and then ask yourself: Would your organization have handled things differently?
Or are there too many false security reports and scams (as Panera responded) to take these types of tips seriously?
