When responding to a crisis, it’s important to be fast—and accurate.
When Panera Bread executives learned that reporters had discovered a security flaw in its website that had potentially leaked millions of customer accounts—including names, home addresses and the last four digits of credit cards—the company immediately patched the site and reached out to news outlets.
Even when security analysts first notified Panera of the problem, its response was tepid. Security reporter Bran Krebs detailed how the company had responded to reports that its site was vulnerable.
KrebsOnSecurity learned about the breach earlier today after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Web site back on August 2, 2017.A long message thread that Houlihan shared between himself and Panera indicates that Mike Gustavison, Panera’s director of information security, initially dismissed Houlihan’s report as a likely scam. A week later, however, those messages suggest that the company had validated Houlihan’s findings and was working on a fix.
Fast forward to early this afternoon — exactly eight months to the day after Houlihan first reported the problem — and data shared by Houlihan indicated the site was still leaking customer records in plain text. Worse still, the records could be indexed and crawled by automated tools with very little effort.
After the story was published by Krebs, Panera went on the record with Fox Business stating that the breach was minimal, estimating that fewer than 10,000 customers were affected.
“Panera takes data security very seriously, and this issue is resolved,” Panera Bread Chief Information Officer John Meister said in a statement to FOX Business. “Following reports today of a potential problem on our website, we suspended the functionality to repair the issue. Our investigation is continuing, but there is no evidence of payment card information nor a large number of records being accessed or retrieved.”Meister added: “Our investigation to date indicates that fewer than 10,000 consumers have been potentially affected by this issue, and we are working diligently to finalize our investigation and take the appropriate next steps.”
That’s when Krebs, and other security insiders, got angry.
Per my last tweet, Panera issued a statement to Fox News saying the breach only impacted 10,000 customer accounts. Interesting that they had no numbers for me, and yet had this 10k number all ready to go on the same day this was "discovered," eight months after it was reported.
— briankrebs (@briankrebs) April 2, 2018
After questioning Panera’s numbers, Krebs did a little more digging and discovered the website was far more compromised than had been understood—and that the original problem hadn’t been fixed after all.
Hey Panera, despite your statements to the contrary, you still haven't fixed this customer info leak. Would you like to revisit the 10k number you just gave to Fox news? https://t.co/AJeiq6Dfd0
— briankrebs (@briankrebs) April 2, 2018
10k records, eh @panerabread ? Isn't that what you told Fox News right after my story ran? Fixed the issue, have you? How do you explain this? https://t.co/tWgSNv71TA
— briankrebs (@briankrebs) April 2, 2018
you know what, let's go for 37M instead of 7M: https://t.co/7DTaherzMi
— briankrebs (@briankrebs) April 2, 2018
Krebs clearly was furious over how Panera had responded to his reporting.
At the risk of making my job harder (or possibly, easier?) it's clear I'm going to have to write an entire series of blog posts about how not to handle a data breach from a PR perspective. I'm sputtering over here. Gave @panerabread every courtesy and they treat me like an idiot
— briankrebs (@briankrebs) April 2, 2018
His final recommendation? Rebuild the website from scratch.
Hey @panerabread : before making half-baked statements to the press to downplay the size of a breach, perhaps you should make sure the problem doesn't extend to all other parts of your business, like https://t.co/rSpkwc3y1v, etc. Only proper response is to deep six entire site
— briankrebs (@briankrebs) April 2, 2018
In a strange twist, Krebs discovered via LinkedIn that the head of digital security for Panera was a former employee of Equifax, the credit data firm that lost over 100 million customer records to hackers last year.
Oh look,the guy my source initially notified at @panerabread EIGHT MONTHS AGO -- their dir. of info security - was senior dir. of security operations at Equifax until 2013. Shocker. https://t.co/kLepEToKqr
— briankrebs (@briankrebs) April 2, 2018
The breach highlights the problem of customer loyalty reward programs that offer limited benefits in exchange for data.
As with so many other data breaches, this one raises questions for consumers. In some respects, it’s grown ever more difficult to avoid e-commerce transactions. Many people now manage their personal banking on mobile apps. And consumers appreciate the convenience of ordering goods online. Every relationship and transaction raises the possibility of a data breach.But loyalty programs, which promise perks and convenience in exchange for personal data, are another realm. And Panera’s breach makes one wonder: Is a free sandwich worth the hassle of having personal identifying information floating into the wrong hands?
[RELATED: Crises are inevitable. Don’t bury your head—and career—in the sand. Join us in D.C. for the Crisis Communications Conference.]This data breach is just the latest in a series of data-themed crises for companies from tech giants such as Facebook to major retailers including Saks Fifth Avenue. As communicators learn more and more about what the public wants in response to these data losses, some rules have emerged:
1. Be quick to respond—but don’t fudge the details.
Although staying silent, as Facebook did, elicited criticism and ensured the company would lose control of the story, Panera’s inaccurate response sparked the ire of reporters and security experts. Companies shouldn’t expect journalists to give them a pass as security experts push for tougher reporting and accountability on these stories.
In his blog, the researcher who first discovered the Panera vulnerability called for more accountability.
We could collectively afford to be more critical of companies when they issue reactionary statements to do damage control. We need to hold them to a higher standard of accountability. I honestly don’t know what that looks like for the media, but there has to be a better way to do thorough, comprehensive reporting on this.
Companies should be ready to provide it.
2. Treat reporters with courtesy.
If you do an end run around one reporter and go to another outlet to spin your story, you are being rude to the reporter who first reached out to you. Journalists won’t take that lying down.
The main thing that really chaps me about this @panerabread data breach fiasco is that the standup researcher who reported it didn't even want publicity. He suggested I didn't need to name him in my story today. And yet they ignored him. https://t.co/S3sIx99HyG
— briankrebs (@briankrebs) April 3, 2018
3. Be humble.
As tech security evolves, the chances that your system will be compromised seem to grow. As difficult as it may be, when your data is breached, it is essential to show a little humility. Don’t assume you know the full extent of the damage; offer an apology.
Some advice about breach response to a reporter, journalist or otherwise: Don't assume the "proof of concept" is all there is. Dig deeper. Assume it's all compromised. Be humble. Don't make statements that about scope of breach that can't be supported forensically.
— briankrebs (@briankrebs) April 3, 2018
4. Start an investigation, and follow up.
When Saks Fifth Avenue learned it had leaked credit card details formillions of customers, it stated it would investigate the full reach of the crisis and provide more data at a later time. Investigations can protect the party being investigated from scrutiny and negative media coverage by acknowledging the problem and delivering on promises for more information.
How would you advise Panera to repair its media relationships, PR Daily readers?
(Image via)
from PR Daily News Feed https://ift.tt/2uJRFZO
No comments:
Post a Comment