We need a federal law protecting consumers from data leaks

We need a federal law protecting consumers from data leaks

Panera Bread can make you a sandwich in a few minutes, but it will need a little more time to tell you that it leaked your data to the entire internet.

How long? Try, eight months. That’s how much time elapsed between when security researcher Dylan Houlihan first warned the St. Louis-based fast-casual chain about a flaw on its site and the firm actually taking action.

That may be infuriating, but it shouldn’t be surprising. We keep seeing these data-breach debacles in part because you can’t make a federal case out of them: No nationwide law compels companies to address a data breach quickly, and you shouldn’t expect one anytime this year. Or maybe even next.

Lag time

Houlihan first tried notifying Panera last August that its site exposed the data of potentially millions of online-ordering accounts — including customers’ phone numbers and the last four digits of saved credit cards.

As Houlihan related in a Medium.com post Monday, after multiple messages went unanswered or bounced (spoiler alert: not a good sign when a company doesn’t have a catchall security@companyname email address), the company finally assured him that it was working to resolve the problem.

Then nothing changed for months.

Fed up, Houlihan tipped off cybersecurity journalist Brian Krebs and data-breach researcher Troy Hunt. After Krebs put in a query, Panera took its entire site offline and then said it had fixed the problem.

But after Krebs’ published his post Tuesday, Panera began telling news sites that only 10,000 accounts had been exposed. But security researchers found that not only was the vulnerability still there, the total number of customer records could actually top 37 million.

Security consultant Adam Shostack’s two-word review of Panera’s response: “quite poor.”

Panera’s PR department did not answer requests for comment.

That should look familiar

Denial and delay have been part of the industry data-breach playbook for years. Equifax (EFX) learned in late July of last year that unknown attackers had exploited a vulnerability on its site to access sensitive data of about 143 million Americans — including Social Security Numbers — but didn’t loop the rest of us in until September.

Yahoo (Yahoo Finance’s parent company) had data of all00;”>3 billion users</span></a><span style=”fo

Latest Posts From This Category

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply

Latest Posts