An independent security researcher just uncovered Panera Bread’s negligent exposure of millions of customer records. He notified Panera in a responsible manner and even after 8 months had not fixed the flaw. The underlying problem was specifically serving private data on a public endpoint without strict authentication and access control. This is so basic that beginner API developers should know to avoid it. Moreover, it’s among the OWASP Top 10 (owasp.org), well known ways that databases become compromised through insecure web applications.
Ironically, Panera Bread’s director of information security, Mike Gustavison was previously with Equifax. Although he left the company prior to their historic, devastating breach last year that exposed extremely sensitive financial details on 147.9 million consumers, nearly every adult in the United States.
I call on Georgia Governor Nathan Deal to VETO SB 315 to protect independent security threat researchers who bring these issues to the light of day so that the public may be protected.
To read more about the Panera incident, see Panerabread.com Leaks Millions of Customer Records (krebsonsecurity.com). Dylan Houlihan, the independent security researcher, has also published his own account at No, Panera Bread Doesn’t Take Security Seriously (medium.com).