Panera Bread and What To Do Next

What Happened?

I’m pretty sure most folks go to Panera Bread from time-to-time. Sadly, they have the dubious honor of being the latest big data breach. Worse, they seem to be a pretty good example of how NOT to handle this sort of thing. As near as I can tell from the reports so far, you’re impacted if (A) you have a Panera Bread loyalty card (that includes “I just give them my phone number and they look it up”) or (B) you bought any kind of pre-paid card.

The reports so far seem to say the breach includes names, usernames, email addresses, physical addresses, loyalty card numbers and the last four digits of credit card numbers for probably 37 million people.

Two sources of information:

The place where this gets bad is that Panera was reportedly alerted to the problem with their web site eight months ago and did nothing about it. Houlihan finally got tired of waiting for them to do something and that’s when he passed the story to Krebs. (For comparison, at my workplace, we generally have to fix security problems less serious than this one in under a week.)

Krebs broke the story on Monday, April 2, after first letting Panera know what he was about to publish. They took their web site down and two hours later announced to the world that the problem was fixed and had only affected about 10,000 people

Except they didn’t actually fix it. It doesn’t sound like they even put much of a band aid on it. Following Brian Krebs’ twitter stream from that day is illuminating.

So, as I write this, PaneraBread.com is offline.

That’s the quick and dirty summary.

What do I do about it?

That’s a tough question. I haven’t seen anything yet about passwords being part of the breach, but if you had a login on any of Panera’s web sites, you should think long and hard about whether you may have used that same password anywhere else. If you think you may have, you should go change the password on that other site just to be sure.

(As a semi-side note, here’s my quick password rules.)

One part that’s somewhat concerning is that the breach includes the last four digits of credit cards. That’s not enough to actually use the credit card, but there are a lot of things online where knowing someone’s name and the last four digits of their credit card number is enough information to “prove” you’re that person. (There was a somewhat famous case a few years back where a tech journalist had his PC and iPad wiped after someone got hold of that information.) So you may need to think about getting credit cards reissued (the banks lately have been a bit more proactive about that, so you may get one anyhow).

One other thing you might consider is signing up on the web site https://haveibeenpwned.com (yeah, it’s a funny name). That’s a free online tool (you don’t even need to set up a password), where you can find out if your email address has ever appeared in any of these big data breaches. More interestingly, you can also sign up (again, no password), to get an alert if your email address shows up in any future breaches. (I use this feature to monitor the domains my parents, wife and I use, but it also works for individual email addresses.)

Why would you want to know about breaches? Aside from being a way to find out when your information is exposed, a lot of the breaches you hear about in the news (and a lot of the ones you don’t hear about) include not just an email address, but also a password. And once the bad guys find out how to login as you one system, they try again on other systems (e.g. banks). And with the huge number of passwords most people need to remember these days, there’s an unfortunate tendency to re-use them.