Panera Bread can make you a sandwich in a few minutes, but it will need a little more time to tell you that it leaked your data to the entire internet.
How long? Try, eight months. That’s how much time elapsed between when security researcher Dylan Houlihan first warned the St. Louis-based fast-casual chain about a flaw on its site and the firm actually taking action.
That may be infuriating, but it shouldn’t be surprising. We keep seeing these data-breach debacles in part because you can’t make a federal case out of them: No nationwide law compels companies to address a data breach quickly, and you shouldn’t expect one anytime this year. Or maybe even next.
Houlihan first tried notifying Panera last August that its site exposed the data of potentially millions of online-ordering accounts — including customers’ phone numbers and the last four digits of saved credit cards.
As Houlihan related in a Medium.com post Monday, after multiple messages went unanswered or bounced (spoiler alert: not a good sign when a company doesn’t have a catchall security@companyname email address), the company finally assured him that it was working to resolve the problem.
Then nothing changed for months.
Fed up, Houlihan tipped off cybersecurity journalist Brian Krebs and data-breach researcher Troy Hunt. After Krebs put in a query, Panera took its entire site offline and then said it had fixed the problem.
But after Krebs’ published his post Tuesday, Panera began telling news sites that only 10,000 accounts had been exposed. But security researchers found that not only was the vulnerability still there, the total number of customer records could actually top 37 million.
Security consultant Adam Shostack’s two-word review of Panera’s response: “quite poor.”
Panera’s PR department did not answer requests for comment.
That should look familiar
Denial and delay have been part of the industry data-breach playbook for years. Equifax (EFX) learned in late July of last year that unknown attackers had exploited a vulnerability on its site to access sensitive data of about 143 million Americans — including Social Security Numbers — but didn’t loop the rest of us in until September.
Yahoo (Yahoo Finance’s parent company) had data of all 3 billion users exposed in a series of breaches from 2013 to 2016, but we only learned of them after Verizon (VZ) agreed to buy the company. The U.S. has since filed charges against a set of Russian hackers.
Sometimes, you can’t even blame hackers for the data breach: Too many companies leave databases open to the web for anybody to click around.
It’s positively refreshing when we learn in days about a breach. For example, Under Armour (UA) took only a week to notify roughly 150 million users of its MyFitnessPal app that it had exposed their usernames, email addresses and scrambled passwords.
No federal standard
As of January 1, 48 states had legislation setting various standards for data-breach notification. At the federal level, privacy laws govern the finance and health-care industries, but for other sectors the state of federal data-breach regulation amounts to “file not found.”
That despite the fact that just about all the industries involved support having one federal standard — if nothing as strict as the European Union’s upcoming General Data Protection Regulation, which will impose a 72-hour disclosure timetable.
“We would love to see something uniform,” said Stephanie Martz, general counsel for the National Retail Federation. “We would love to see something that requires notification for anyone that was breached.”
Jason Kratovil, vice president of government affairs at the Financial Services Roundtable, said much the same thing, backing “a strong federal standard.”
So what’s the holdup? Kratovil pointed to bipartisan pockets of opposition to having a federal bill override state laws: “You can also have states-rights Republicans that are also against preemption.”
Martz said the NRF has objected to provisions in past bills that would have reserved the strictest customer-notification rules on retailers.
Both Martz and Kratovil said any bill should scale the severity of its security requirements with the size of firms and the sensitivity of the data they handle.
But the immediate problem facing Congress is a lack of actual legislation. As Martz said: “Nothing has even been marked up this Congress.”
Rep. Carolyn Maloney (D.-N.Y.) has a discussion draft of one, the “Data Acquisition and Technology Accountability and Security Act.” But while it may only be April, few people expect Congress to tackle any other major bills before the midterms.
The White House, meanwhile, has not led on this issue. “I haven’t really seen anything public on these issues,” Kratovil said.
You can hope that individual companies can do better — Shostack, the security consultant, said he’s seeing significantly more attention to breach prevention from firms. “Five years ago, it was only the very largest. Now I’m talking with mid-market companies,” he wrote.
But considering that data-privacy bills have been getting stuck in legislative mud since at least 2005, things may not get better with a new Congress. As FSR’s Kratovil said: “If Equifax couldn’t cause immediate action and reaction, it’s had to think of another breach that would.”
More from Dan: