Panera accused security researcher of “scam” when he reported a major flaw
Eight months ago, Panera Bread was notified of a security flaw that was leaking customer information to anyone who knew where to look for it. But the company failed to fix the flaw until this week after the breach was made public in a report suggesting that it affected 37 million customer records.
Panera Bread said this week that the leak affected fewer than 10,000 consumers and that it has been fixed. But security reporter Brian Krebs and the security researcher who notified Panera of the breach last year disputed that account. They say that millions of customer records were available online and that they remained available at publicly accessible URLs after Panera said the flaw was fixed. Those URLs appear to have finally been scrubbed of the customer information, as they now produce error messages instead of customer data.
The records "could be indexed and crawled by automated tools with very little effort," Krebs wrote yesterday. Leaked data included Panera customers' loyalty card numbers, "which could potentially be abused by scammers to spend prepaid accounts or to otherwise siphon value from Panera customer-loyalty accounts," he wrote.