The industry and public were still reeling from the data breach that hit Saks Fifth Avenue and Lord & Taylor last week when another major breach stole the spotlight, this time at Panera Bread.
Krebs on Security reported Monday night (April 2) that the fast-casual bakery/café chain had been leaking names, emails, addresses, birthdays and partial credit card numbers (the last four digits) from its website for at least eight months.
A security researcher notified Panera of the vulnerability in August of 2017, at which time the company acknowledged the issue, saying it was working on a fix; but eight months later, the flaws were still there, which is when the researcher took the information to Krebs.
Panera took down its website on Monday after hearing from Krebs. The security gap was patched, and the site was back up and running within two hours — begging the question: Why did they wait so long?
Now, a leak isn’t necessarily a hack. Customer data may have been available in plain text from the site, but that doesn’t mean any bad guys took it. Panera said in a statement, “There is no evidence of payment card information nor a large number of records being accessed or retrieved.”
The potential impact, however, is that more than 7 million customer records may have been exposed. Panera uses sequential numbers for account IDs, so it would not have been difficult for someone to scrape all exposed customer accounts and start leveraging Panera loyalty cards to spend prepaid accounts or siphon value from them. This could have been done easily with automated indexing and crawling tools, reported Krebs.
If the U.S. thought it had seen the worst of things last September when Equifax leaked 147 million Americans’ sensitive data, it was wrong. There’s been a steady string of breaches ever since. Intrusion after intrusion has exposed security gaps in corporate networks, leaving retailer after retailer wondering how they’ll ever repair the damage — both in terms of cost and in terms of regaining their customers’ trust.
This past weekend, it was reported that as many as 5 million payment cards had been compromised at Saks and Lord & Taylor stores across North America (yes, including some in Canada). Both companies are part of Toronto-based retailer Hudson’s Bay.
Cybersecurity firm Gemini Advisory was the first to report that criminal group JokerStash had hacked the stores. JokerStash is known for selling stolen data on the criminal underground. The group said last week that it was planning to release more than 5 million stolen cards. So far, it has released 125,000, with three quarters of those coming from the Hudson’s Bay retailers.
Saks Fifth Avenue, Saks OFF 5TH and Lord & Taylor stores were all put at risk. The company does not believe that its eCommerce or digital platforms were impacted. However, it’s not yet clear whether the company’s network was secure, when the breach began or how many payment card numbers were truly taken. Some experts are saying the breach was ongoing for a year.
Nutrition app MyFitnessPal, owned and operated by Under Armour, discovered a data breach last week which impacted 150 million users. Wired reported that Under Armour suffered the breach in late February, detected it March 25 and disclosed it to the public on March 29 — much faster than others hit with similar breaches.
The other silver lining is that the company’s systems were apparently segmented enough to safeguard the most sensitive personally identifiable information (PII). Birthdays, locations and credit card numbers were not exposed. Instead, hackers gained only usernames, email addresses and passwords.
Most passwords were hashed using the “bcrypt” function, making them difficult and costly to crack — so even leaked passwords were still protected. So far, Under Armour is looking pretty good in terms of hack resilience.
However, some passwords were not as well-protected. They were hashed using a faster but weaker function — the same one that toppled hookup site Ashley Madison several months ago. Both companies were seemingly aware of which hash function would protect passwords the best, yet both failed to implement it consistently.
Online travel booking site Orbitz — owned by Expedia — announced last week that its legacy site, Amextravel.com, had been compromised. The breach took place between October and December 2017, exposing data from Jan. 1, 2016 through Dec. 22, 2017.
As many as 880,000 payment cards may have been exposed, alongside PII including names, birth dates, phone numbers, emails, shipping and billing addresses and genders. Orbitz does not believe that customer information such as itineraries or passports was affected by the breach.
The Bottom Line
Expedia said it was not sure whether hackers had actually taken any customer data, just that it had been exposed. Yet the same is probably true for Orbitz, Panera and any other recent data breaches, as well as whichever one comes next: If the information was just sitting there leaking, odds are that someone, somewhere saw that data and jumped on it.
A.N. Ananth, chief strategy officer at Netsurion, told PYMNTS, “The sad fact is that if you are a retailer or restaurant, the sharks are circling. For example, we recently spun up a dummy website as an experiment that was attacked 500,000 times in the first 24 hours.”
If fraudsters are putting that much work into hitting protected sites, they probably aren’t about to pass up free leaked data anywhere they can find it — and retailers with weak protection are making it all too easy for them.