back to article Do(ug)h! Half-baked security at Panera Bread spills customer data

The website for restaurant chain Panera Bread has made the personal information for customers' online accounts available for takeout since August last year, according to security researcher Dylan Houlihan. The all-your-can-eat menu on its website offered online account holders' full names, home addresses, email addresses, …

  1. Korev Silver badge
    Windows

    I think they need to use their loaf and sort it

    The crusty is the nearest thing that we have to a bread icon -->

  2. 2+2=5 Silver badge
    Joke

    > The Register asked Panera Bread for comment but we've not heard back.

    They're probably thinking: What the foccacia has it got to do with you?

  3. FozzyBear Silver badge
    Coat

    Well they kneaded the sysadmin time to rest before he could rise to the occasion

  4. Doctor Syntax Silver badge

    "eight months after initially alerting the bread biz, Houlihan finally managed to get the culinary company to close its data buffet on Monday by publishing evidence of his findings on Pastebin and alerting the media."

    Experience is a dear teacher but there are those who will learn by no other.

    1. Notas Badoff

      99% off all orders for the next month!

      Enter coupon code TANSTAAFL when ordering.

      After a month of all that bread and lettuce leaving for free, the next shareholders meeting would be hot and steaming.

  5. dan1980

    Houlihan is right - this incident is really indicative of a general trend across all businesses that deal with personal data.

    The only way I can see this situation changing is if there is a financial incentive: avoiding crippling fines.

    No publicly-accessible platform is completely secure and nearly anything can be breached by a dedicated, technically-advanced and well funded adversary. That being the case, however, the vast majority of breaches that occur need nowhere near that level of backing and, far too often, are laughably easy.

    In such cases, the negligence is nearly willful and needs to be punished as such.

    1. sanmigueelbeer Silver badge
      Alert

      this incident is really indicative of a general trend across all businesses that deal with personal data.

      There were several studies, some dating back as early as 2010, that it is still CHEAPER for a company to get hacked/breached than to do any action, i. e. improve IT security, inform users that their details have been stolen, pay for customer's credit card information be "monitored".

      When US banks were told that they should be issuing PIN-based credit cards (vs swipe and sign), the banks refused because they don't want to be responsible of upgrading the merchant facilities because the banks don't want to PAY for it.

      At the end of the day, we're going to be seeing more of these.

  6. Sam Therapy
    Coat

    So, basically...

    Their security is toast?

    Coat... yeah, it's the one with the crusty cob.

  7. Kevin McMurtrie Silver badge

    Off to a bad start and probably heading towards a bad finish

    Somebody who doesn't know how to use PGP keys is in charge of security?

  8. John H Woods Silver badge

    "Panera takes data security very seriously"

    Just the usual floury words

    1. Pascal Monett Silver badge
      Thumb Down

      Floury words indeed

      And they only appear after a flaw has been publicised, meaning that before the public knowledge, they couldn't have cared less.

      If you want us to believe you take data security seriously, sitting on a vuln for 8 months is not the right signal to send.

  9. AskOllie.com

    He has form

    And the mentioned Mike Gustavison, Director of Information Security for Panera bread - his last job was...

    Senior Director of Security Operations at Equifax

    https://www.linkedin.com/in/mike-gustavison-b020426/

    Coincidence?

    1. Anonymous Coward
      Anonymous Coward

      Re: He has form

      The article on Medium already got that pal

  10. spold Bronze badge

    The privacy regulator is sure to say "lettuce investigate".

    If you had a ham sandwich recently expect to be targeted by angry vegans.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019