Panera Bread can make you a sandwich in a few minutes, but it will need a little more time to tell you that it leaked your data to the entire internet.
How long? Try, eight months. That’s how much time elapsed between when security researcher Dylan Houlihan first warned the St. Louis-based fast-casual chain about a flaw on its site and the firm actually taking action.
That may be infuriating, but it shouldn’t be surprising. We keep seeing these data-breach debacles in part because you can’t make a federal case out of them: No nationwide law compels companies to address a data breach quickly, and you shouldn’t expect one anytime this year. Or maybe even next.
Houlihan first tried notifying Panera last August that its site exposed the data of potentially millions of online-ordering accounts — including customers’ phone numbers and the last four digits of saved credit cards.
Then nothing changed for months.
Fed up, Houlihan tipped off cybersecurity journalist Brian Krebs and data-breach researcher Troy Hunt. After Krebs put in a query, Panera took its entire site offline and then said it had fixed the problem.
Panera’s PR department did not answer requests for comment.
That should look familiar
Denial and delay have been part of the industry data-breach playbook for years. Equifax (
Yahoo (Yahoo Finance’s parent company) had data of all00;”>3 billion users</span></a><span style=”fo