Panera Bread has a public relations fiasco on its hands. It has embroiled itself in one of the most tragicomic data breaches the world has seen in a while, a breach that could have been easily avoided.
Dylan Houlihan, the finder and eventual whistleblower of the security issue, has created a post providing the authoritative breakdown of what happened and when. But, the story can be summarized thus:
- Dylan finds a security issue – the leaking of customers’ personal information – at Panera’s website and contacts the company.
- Panera eventually acknowledges the issue and promises a fix.
- Eight months later, with no fix, Dylan reaches out to someone who can effect change via public pressure.
- Panera fixes the problem within hours of being contacted by Brian Krebs, the security blogger at krebsonsecurity.com.
- Further poking around shows that Panera didn’t really fix anything. Furthermore, the poking around shows that the same problem exists in various places across Panera’s online presence.
- This finding blows holes into Panera’s public announcement that they “take data security issues seriously.”
- Panera takes down their entire online presence, which is still down 48 hours after the entire fiasco first made news.
Of course, one of the bigger questions is, if Panera was really able to fix the thing in two hours, what was it doing dragging its butt for eight months? In hindsight, it’s obvious that they couldn’t and didn’t. And, seeing how 48 hours after the story broke, panerabread.com‘s homepage is showing essentially a 404 page, we can strongly presume that they still don’t have a handle on the problem.
Which further leads one to believe that they didn’t spend the past eight months trying to fix the problem at all.
What Does the Panera Bread Fiasco Show Us?
Panera’s actions are, unfortunately, not an exception to the rule. Certainly, there are plenty of companies that have tried to do right by their customers, either because they feel it’s their duty or because it’s the law, or some combination of the two.
Then we have the companies like Equifax, Yahoo, Facebook, and others that offer some canned words about taking data security seriously…but an investigation shows otherwise. Panera looks like it might be joining this disgraced group. (While Facebook is promising change – and by the looks of recent events, they may mean it – it’s still fair to lump them in this category because the internet giant has a history).
The fact that some of the biggest, most powerful companies in the US (possibly in the world) are acting in this manner proves that the US needs strong data privacy laws. Now, some may point out that we only get to hear of the companies that failed in securing their data; thus, it makes it “seem” as if most companies are not doing anything to secure data, but that’s far from the case.
However, that the companies with the money to do something are caught being cavalier about data security issues can only give weight to the thought that those with less money are probably doing even less security-wise… or, at least, not the most they could be doing. And even if this is not the case, it wouldn’t be wrong to assume that current data security laws had a strong hand in ensuring, ah, shall we say not-so-reprehensible? responses.
Like fixing obvious data security problems, going public with the breach, offering credit monitoring – all things that are codified in state laws (although not all states have identical laws).
Don’t hold your breath on those stronger data security laws, though.
Recently, thirty-two state Attorneys General sent a letter to Congress noting that the proposed federal “Data Acquisition and Technology Accountability and Security Act” replaces stronger state-level privacy laws.
And, as they point out, this would essentially give companies like Equifax a slap on the wrist if they experience data breaches.
Related Articles and Sites: