Panera Bread company is the latest to find itself in hot water. Recently, security researcher Dylan Houlihan discovered that the company had failed to encrypt (or otherwise protect) a file containing usernames, email addresses, physical addresses, phone numbers and loyalty account numbers for a staggering thirty-seven million of its customers.
The file was found stored as plain text, and accessible to anyone who bothered to go looking for it. The good news is that no one appears to have absconded with the data, so odds are that even if you’re a Panera customer, you’re not at risk. The bad news is that Panera’s handling of the incident to this point has been dreadful, to say the least.
First, the company was slow to even acknowledge that there was a problem, and when they did, they attempted to downplay the number of users the oversight impacted. Second (the truly disturbing part of the ongoing story), even when the company did acknowledge the scope and scale of the incident, they left the plain text file on the website. It was completely unsecured until the security professional (Houlihan) contacted them a second time.
To date, their most detailed response has been that the investigation into the matter is ongoing.
There’s a harsh lesson here for any business owner. This is a textbook example of how not to respond to an incident like this. There are so many different things Panera could have done to make this a non-issue. The first of which would have been to immediately take the file down or secure it. Next, to immediately notify all the customers on the list (just in case the file had been downloaded by hackers). Lastly, issue a detailed action plan that assured customers that the company was taking steps to make sure something like this would happen in the future. Sadly, exactly none of that has happened.