Imagine someone running in to your office and reporting that the building is on fire. Also imagine that the person is dressed as a firefighter and that there’s a big red truck outside your building with a full firefighting crew.
What would you do? If you were executives at Panera Bread, apparently you’d ignore the reports of a fire, but accuse the firefighters of running a scam.
That’s essentially what happened when security engineer Dylan Houlihan tried to report to Panera in August 2017 that they were exposing the personal data of millions of their customers.
Responses from a Panera security official, Mike Gustavison, ranged from silence, to a statement that he ignored Houlihan’s warnings of the breach. Gustavison, according to emails reproduced in a blog post on Medium, accused Houlihan of making a sales pitch and asserted that he would not be duped or respond to demands for restitution.
Despite the fact that Houlihan had provided full details of the breach in a formal security report months earlier, the data remained exposed on the Panera network to anyone who cared to look for it until early April 2018. The exposure was only eliminated after accounts of the breach started showing up on the Web.
Panera’s failure to take even minimal steps to confirm that customer data was exposed to protect that data constitutes an egregious example of security worst practices. But the story gets even worse.
Many organizations make mistakes which exposes personal data is exposed to the outside world. What’s rare is that Panera chose to ignore the reports of the breach for months. Then executives at Panera, when faced with a security professional bearing bad news, chose to blame the professional who was trying to alert them to the breach.
When blame didn’t work, the folks at Panera tried to accuse the security professional of running a scam, of trying to drum up business and of looking for some kind of compensation, according to Houlihan’s statement about the incident in his blog. Houlihan’s veracity is supported by copies of emails from Panera in the blog post.
Probably the worst practice of all is intentionally waiting to fix the breach until the company was publicly forced to confront the accuracy of the researchers report. Apparently, they hoped that nobody would notice and stop bothering them about it.
But it’s the intentional failure to act that’s the worst problem. This is more than negligence or a matter of bad security practices. This was plain corporate arrogance and stupidity.
Fortunately, you can learn from Panera’s mistakes. Start by developing an understanding that your organization’s security isn’t perfect. Believe that the bad guys are smart enough at what they do that they can probably penetrate your perimeter defenses, no matter how good you think they are.
With that realization you need to develop a security response procedure so that when you get wind of a problem from whatever channel, you have a plan in place to deal with it. It’s also critical to understand that word of a breach or other security problem is almost certain to arrive in some manner that you didn’t expect.
If the folks at Panera had even marginally good sense, they’d have realized how lucky they were that their security hole was initially found by another security professional, not one of the bad guys. Their initial response should have been profound thanks, followed with willingness to accept any help they could get.
Once any organization learns about a breach the correct response is to realistically evaluate the damage to your network and the scale of data exposure. Trying to deny or downplay reports of network vulnerability in an apparent effort to save face is exactly the wrong thing to do—another worst practice.
Instead, report the breach, which is required by multiple, federal and state laws, and get to work explaining what you’re going to do about it. Then get to work notifying your customers or business partners about what data actually leaked. Even it if wasn’t customer data that was lost, tell them about the breach and what you’re going to do about it to protect them going forward.
When you fully understand where your network and data resources were breach, make sure you do a comprehensive fix, not a jury-rigged repair. For example if the breach resulted from an unpatched system, then reevaluate your patching practices so that you don’t leave your systems unpatched any longer than possible. Otherwise cyber-criminals will be back to look for other places to break in.
After you’ve evaluated the breach, find ways to make it harder to use any data that the bad guys might find. One good way is to make sure that sensitive data is not kept in one place, so that a breach of one system doesn’t give the attackers access to all your most important resources. Encrypt all your data resources to ensure that even if attackers succeed in breaking into your network, the data is useless to them.
By taking some sensible steps and remembering that your system is never as secure as you think it is, you have started down the road toward implemented best security practices. Otherwise, you can join Panera as a public example of the worst possible practices.