Panera Bread customer records exposed via leaky database – dough!

There’s a war of words going on at the moment between veteran cybercrime reporter Brian Krebs and US bakery chain Panera Bread.

Krebs recently wrote about a data leakage problem on Panera’s website, whereby crooks could supposedly tease out personal information about a Panera customers, without logging in themselves, by directly searching for likely terms in Panera’s online database.

For example, if you knew someone’s phone number, you could put in a search request and retrieve information that Panera happened to hold against that phone number.

In Krebs’s article, he gave an example where searching for a single company phone number retrieved data on numerous users, including username, email address and the last four credit card digits – presumably because multiple staff at a company located near one of Panera’s outlets had asked for deliveries to their place of work.

Worse still, attackers could apparently search by account ID, a numeric identifier that Krebs says may simply be incremented by one for each new user.

In other words, if you had a Panera account yourself and knew that your numeric ID was, say, 31337, then trying 31338, 31339 and so on might allow you to recover at least some personal information about other customers who first transacted at around the same time you did.

Of course, by trying thousands or hundreds of thousands of IDs in sequence you might, in theory at least, suck down data about hundreds or thousands of other active users.

Apparently, Panera has now moved the offending data out of harm’s way, but that’s where the war of words with Krebs kicks in.

Panera is on the record claiming that “[o]ur investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”

Panera may very well be in a position to support a claim of this sort, assuming that it has server logs that reliably show which user records were accessed, and how, and assuming that the logs provide a complete and reliable record.

But Krebs thinks otherwise, saying that “[i]t is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.”

Indeed, Krebs concludes his piece with the claim that “[s]ubsequent links […] indicate that this data breach may be far larger than the 7 million customer records initially reported as exposed in this story. The vulnerabilities also appear to have extended to Panera’s commercial division which serves countless catering companies. At last count, the number of customer records exposed in this breach appears to exceed 37 million.”

What to do?

Even if Krebs’s numbers are theoretical maxima and Panera’s figures turn out to be the real-life ones, there was still a breach here, and it could easily have been avoided.

So, if you have a searchable customer database that’s accessible online, ask yourself these three questions:

  1. Does this data need to be online at all? If “no”, then take it offline immediately and permanently.
  2. Does this data require a user to authenticate first? If “no”, then take it offline immediately until you’ve sorted out the login process.
  3. Does this data correctly limit access to the current user? If “no”, then then take it offline immediately until you’ve sorted out proper access control.

Remember: if in doubt, really, really, REALLY don’t give it out, especially if it’s data about someone else.