A successful Security breach happens when an unwanted or unauthorized person accesses a company’s database and extracts useful data from their database without the consent of the information systems owner. This normally happens via physical access or using computer software network to pilfer files. Data breaches may include different types of useful information ranging from health information, personal identifiable information, financial details as well as intellectual property.
According to a report by non-profit |Consumer Organization Privacy Rights Clearance House, a total number of 227,052,199 individuals files containing personal and important information were compromised from 2015 to 2018.
Background
This security breach happened at the Panera Bread Company, an established American based chain bakery cafe. They are prominent in the U.S and Canada. The data breach happened in 2017 and took place within an estimated period of eight months without the hacker being pulled identified. The security breach left an approximated 37 million customers and clients personal and financial information exposed.
A security researcher, Dylan Houlihan, discovered this vulnerability on Panera’s website, Panerabread.com, and shared the vulnerability report and analysis with the company. After being ignored for over 8 months without any action from the company, the security researcher, who was among the people whose data had been exposed, turned this matter into a reveal to force the company to patch the vulnerability. Dylan produced a thread of email exchanges between himself and the company’s CIO John Meister, stemming back to August 2017. In one of the earliest emails, the CIO, instead of investigating the stated vulnerability, accused Dylan of trying to scam the company.
This response from the CIO speaks to the huge skill gap and limited knowledge in the cybersecuirty field. The CIO’s main obligation is to ensure protection of information running on information technologies across the organization.
The vulnerability
Panera Bread Company had a vulnerability on their website that could be manipulated to divulge client data without authorization through an unauthenticated Application Programming Interface (API). An API is a way to get one computing component A to communicate with another component B by providing an interface for this communication. In this case, Panera’s API was public facing, utilized by clients to order online. Since this API was not authenticated, it allowed anyone to query the following information about anyone who had ever signed up for an account on the website; first name, last name, username, email address, last four digits of credit card used for payment, birthday, phone number, current home address, SSN, food preferences as well as dietary restrictions.
Essentially, this information is enough for a cyber-attacker to perpetrate blackmail, identity theft, phishing, cyberbullying, among others nefarious uses.
As described in the image below, the API connects to the webserver’s database without authentication. This implies that the API just connects to the database without the database checking for username and password requirements to allow it to read/ write data to it. The danger of this misconfiguration is that anyone with access to the API can control what input or output into or from the database.
This led to the exposure of client records stored on the database since a simple query from the API returns all data stored on the database, regardless of who is querying for this data. This is not a vulnerability per se, but rather is a system misconfiguration that could have been fixed by modifying the code of the API to include authentication to the database and force the database to authenticate all entities that connect to it.
What went wrong?
The biggest oversight by the company was that the CIO overlooked the report published by the security researcher, which could have saved them a lot of trouble if they had remediated the issue. This mistake by Panera Bread can be used as a master class to all other companies that handle client data when it comes to cyber security.
Measures and precautions
1. Take into consideration advice from freelance security researchers and bug hunters. These are people who spend their time looking for bugs that could potentially expose confidential information as well as lead to financial losses and fraud. In as much as the advice is unsolicited, it goes a long way to help save the face of a company and such effort by researchers should, in fact, be rewarded and not trampled upon as in this case.
2. Regular review of systems security. For a company that has public facing infrastructure that holds client facing information, it is paramount to have these system checked at least quarterly for security threats by a third party. This includes checking for:
- Vulnerabilities
- System misconfigurations
- Use of insecure protocols
- Weak or clear text passwords
- Certificate related weaknesses.
The quarterly review is especially important since the cyber security landscape changes so fast and does not give technology users or security companies, time to catch up.
References:
Dhamija, R., Tygar, J. D., & Hearst, M. (2006, April). Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems (pp. 581-590). ACM.
Yee, K. P., & Sitaker, K. (2006, July). Passpet: convenient password management and phishing protection. In Proceedings of the second symposium on Usable privacy and security (pp. 32-43). ACM.
Thompson, A. A. (2008). Panera Bread Company. AA ThompsonStricklandA. J. IIIGambleJ. E. (Eds.), Crafting and executing strategy: The quest for competitive advantage. New York, NY: McGraw-Hill.
Robert Hacket.2018. How Panera Bread Breach fumbled its Data leak- and what to learn from its mistakes. [Online] Available at http://fortune.com/2018/04/04/panera-bread-data-/ Robert Abel.2018. Panera breach neglected since 2017, may have exposed data of millions. Online. Available at. www.scmagazine.com/panera-breach-neglected-since-2017-may-have-exposed-data-of-millions/article/755990/
