The SEC is going after cryptocurrencies
June 26, 2018There’s at least one way to beat a chip
July 10, 2018Data breaches have been in the news a lot in the past few years. They almost seem to have become the norm and no one is shocked when the next one occurs. Recently there has been several companies that have essentially breached themselves and exposed their customer’s information to the world.
In August 2017 an Internet security researcher noticed that Panera Bread had data available in plain text of any customer who created an account to order food online. With more than 2,100 locations in the US and Canada the list was certainly long. The data included the username, the customer’s name, phone number, address, loyalty number and the last four digits of the credit card. It could be easily searched for anyone logged into panerabread.com.
When contacted Panera Bread’s head of information security Mike Gustavison believed that the initial claim was a hoax but within a week acknowledged the issue. Despite that eight months later there was still no fix and no action was seemingly taken until early April when Panera was contacted by Internet security expert Brian Krebs. The site was taken down for several days and repaired. When it was restored the customer information was not longer visible. As many as 7 million customers were exposed (Panera claims only 100,000 were in a statement to Fox News), though it is possible that that number could be as much as 37 million customers.
Panera claims that no credit card or gift card information was stolen but that does not seem to be the case as numerous customers are finding charges for food that they did not order. Considering that Gustavison also worked for Equifax one has to wonder if this will cost him his job. At the very least ignoring the potential warning had far reaching consequences and potential litigation will be expensive.
In other news Chase customers logging into their accounts in February were surprised to see someone else’s account. Given the nature of Chase’s site this involved only a small number of customers and lasted for about 2 ½ hours in total, certainly a much faster response than Panera. The glitch was completely on Chase’s side and was not a result of a hacker or anything like that and appeared to be mostly confined to their mobile app though some users reported issues on the website as well. The app itself was updated the following morning.
The issue seemed to be linked to customer data being inadvertently cached. Some things on websites are cached on a user’s computer like images to help load the site faster. It seems some live information that should not have been cached was being cached and once alerted it was an easy fix for Chase.
Protecting your customer’s information is a big deal. PCI compliance matters. Perhaps the biggest lesson from this is that when someone tells you that something is wrong to take them seriously. With issues related to Internet security it is better to nip the problems in the bud quickly rather than letting them continue. It would have been much easier for Mike Gustavison and Panera Bread at least.