Rietta
Rietta.com Security
You are reading The Rietta Blog, a publication about the web since 2005.

Panera Bread Story Is an Example of Why Governor Deal Should Veto SB 315

Comments

An independent security researcher just uncovered Panera Bread’s negligent exposure of millions of customer records. He notified Panera in a responsible manner and even after 8 months had not fixed the flaw. The underlying problem was specifically serving private data on a public endpoint without strict authentication and access control. This is so basic that beginner API developers should know to avoid it. Moreover, it’s among the OWASP Top 10 (owasp.org), well known ways that databases become compromised through insecure web applications.

Ironically, Panera Bread’s director of information security, Mike Gustavison was previously with Equifax. Although he left the company prior to their historic, devastating breach last year that exposed extremely sensitive financial details on 147.9 million consumers, nearly every adult in the United States.

I call on Georgia Governor Nathan Deal to VETO SB 315 to protect independent security threat researchers who bring these issues to the light of day so that the public may be protected.

To read more about the Panera incident, see Panerabread.com Leaks Millions of Customer Records (krebsonsecurity.com). Dylan Houlihan, the independent security researcher, has also published his own account at No, Panera Bread Doesn’t Take Security Seriously (medium.com).

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security architect, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He speaks about security topics and was a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Comments