Podcast: Play in new window | Download (Duration: 13:43 — 25.1MB) | Embed

Subscribe: Google Podcasts | Email | RSS

Panera Bread’s reaction to a breach of its customer records is a classic example of what not to do on so many levels that it’s hard to know where to start. Officials lied to reporters about the nature and extent of the breach, treated the security experts that knew what actually happened with disdain, took months to recognize the existence of the breach only after others revealed it to the public, told people that the leak was fixed when it wasn’t and glossed over the real issue: a major IT flaw in its application program interface specs that caused the breach to begin with (as well as another this week at P.F. Chang’s). It didn’t help matters that the chief information security officer at Panera came there from a similar job at Equifax in 2013.

The reaction from Ragan is a good summary of what happened and how the situation was mis-handled, and if you want more specifics from the security researcher that first found out about the flaw last August, can read this post on Medium. That latter link reproduces the email messages that showed how the company ignored the researcher’s notification. Firms need to hold themselves to better accountability, have breach plans in place, and make it easier for security researchers to submit vulnerability disclosures in a non-threatening and simple way.

About David Strom

David Strom is a former editor-in-chief of Network Computing and Tom's Hardware who has written two computer networking books and thousands of articles about B2B IT.

About Paul Gillin

Paul Gillin, host of FIR B2B, is a veteran technology journalist and a thought leader in new media. Since 2005, he has advised marketers and business executives on strategies to optimize their use of social media and online channels to reach buyers cost-effectively. Full bio