When responding to a crisis, it’s important to be fast—and accurate.
When Panera Bread executives learned that reporters had discovered a
security flaw in its website that had potentially leaked millions of
customer accounts—including names, home addresses and the last four digits
of credit cards—the company immediately patched the site and reached out to
news outlets.
Even when security analysts first notified Panera of the problem, its
response was tepid. Security reporter Bran Krebs detailed how the company
had responded to reports that its site was vulnerable.
He wrote:
KrebsOnSecurity learned about the breach earlier today after being
contacted by security researcher Dylan Houlihan, who said
he initially notified Panera about customer data leaking from its Web site
back on August 2, 2017.
A long message thread that Houlihan shared between himself and Panera
indicates that Mike Gustavison, Panera’s director of
information security, initially dismissed Houlihan’s report as a likely
scam. A week later, however, those messages suggest that the company had
validated Houlihan’s findings and was working on a fix.
Fast forward to early this afternoon — exactly eight months to the day
after Houlihan first reported the problem — and data shared by Houlihan
indicated the site was still leaking customer records in plain text. Worse
still, the records could be indexed and crawled by automated tools with
very little effort.
After the story was published by Krebs, Panera went on the record with Fox
Business stating that the breach was minimal, estimating that fewer than
10,000 customers were affected.
It reported:
“Panera takes data security very seriously, and this issue is resolved,”
Panera Bread Chief Information Officer John Meister said in a statement to
FOX Business. “Following reports today of a potential problem on our
website, we suspended the functionality to repair the issue. Our
investigation is continuing, but there is no evidence of payment card
information nor a large number of records being accessed or retrieved.”
Meister added: “Our investigation to date indicates that fewer than 10,000
consumers have been potentially affected by this issue, and we are working
diligently to finalize our investigation and take the appropriate next
steps.”
That’s when Krebs, and other security insiders, got angry.
After questioning Panera’s numbers, Krebs did a little more digging and discovered the website was far more compromised than had been understood—and that the original problem hadn’t been fixed after all.
Krebs clearly was furious over how Panera had responded to his reporting.
His final recommendation? Rebuild the website from scratch.
In a strange twist, Krebs discovered via LinkedIn that the head of digital security for Panera was a former employee of Equifax, the credit data firm that lost over 100 million customer records to hackers last year.
The breach highlights the problem of customer loyalty reward programs that
offer limited benefits in exchange for data.
The Washington Post
wrote:
As with so many other data breaches, this one raises questions for
consumers. In some respects, it’s grown ever more difficult to avoid
e-commerce transactions. Many people now manage their personal banking on
mobile apps. And consumers appreciate the convenience of ordering goods
online. Every relationship and transaction raises the possibility of a data
breach.
But loyalty programs, which promise perks and convenience in exchange for
personal data, are another realm. And Panera’s breach makes one wonder: Is
a free sandwich worth the hassle of having personal identifying information
floating into the wrong hands?
[RELATED: Crises are inevitable. Don’t bury your head—and career—in the sand. Join us in D.C. for the Crisis Communications Conference.]
This data breach is just the latest in a series of data-themed crises for
companies from tech giants such as Facebook to major retailers including
Saks Fifth Avenue. As communicators learn more and more about what the public wants in
response to these data losses, some rules have emerged:
1.
Be quick to respond—but don’t fudge the details.
Although staying silent, as Facebook did, elicited criticism and ensured the company would lose control of the
story, Panera’s inaccurate response sparked the ire of reporters and
security experts. Companies shouldn’t expect journalists to give them a
pass as security experts push for tougher reporting and accountability on
these stories.
In his blog, the researcher who first discovered the Panera vulnerability
called for more accountability.
He wrote:
We could collectively afford to be more critical of companies when they
issue reactionary statements to do damage control. We need to hold them to
a higher standard of accountability. I honestly don’t know what that looks
like for the media, but there has to be a better way to do thorough,
comprehensive reporting on this.
Companies should be ready to provide it.
2.
Treat reporters with courtesy.
If you do an end run around one reporter and go to another outlet to spin
your story, you are being rude to the reporter who first reached out to
you. Journalists won’t take that lying down.
3.
Be humble.
As tech security evolves, the chances that your system will be compromised
seem to grow. As difficult as it may be, when your data is breached, it is
essential to show a little humility. Don’t assume you know the full extent
of the damage; offer an apology.
4.
Start an investigation, and follow up.
When Saks Fifth Avenue learned it had leaked credit card details formillions of customers, it stated it would investigate the full reach of the crisis and provide
more data at a later time. Investigations can protect the party being
investigated from scrutiny and negative media coverage by acknowledging the
problem and delivering on promises for more information.
How would you advise Panera to repair its media relationships?
(Image via)