Panera’s attempt to downplay data breach backfires

When the bakery and restaurant chain tried to say only 10,000 accounts were leaked online, security reporters were ready to prove them wrong. Here are some lessons from this PR misstep.

Ragan Insider Premium Content
Ragan Insider Content

When responding to a crisis, it’s important to be fast—and accurate.

When Panera Bread executives learned that reporters had discovered a security flaw in its website that had potentially leaked millions of customer accounts—including names, home addresses and the last four digits of credit cards—the company immediately patched the site and reached out to news outlets.

Even when security analysts first notified Panera of the problem, its response was tepid. Security reporter Bran Krebs detailed how the company had responded to reports that its site was vulnerable.

He wrote:

KrebsOnSecurity learned about the breach earlier today after being contacted by security researcher Dylan Houlihan, who said he initially notified Panera about customer data leaking from its Web site back on August 2, 2017.

A long message thread that Houlihan shared between himself and Panera indicates that Mike Gustavison, Panera’s director of information security, initially dismissed Houlihan’s report as a likely scam. A week later, however, those messages suggest that the company had validated Houlihan’s findings and was working on a fix.

To read the full story, log in.
Become a Ragan Insider member to read this article and all other archived content.
Sign up today

Already a member? Log in here.
Learn more about Ragan Insider.