Panera Bread: Do’s and Don’ts of Data Breach Crisis Management

Let’s step back together and revisit the recent Panera Bread exposure of data associated with millions of its customers.

The faulty and vulnerable Panera Bread data configurations were detected in August 2017. Panera apparently was very skeptical of the original security researcher, Dylan Houlihan, and responded to his notification with thanks. But, beyond that, the company did nothing.

Noted investigative reporter Brian Krebs, having a bit more public clout, confirmed with Houlihan the vulnerability to the data still existed some eight months later and reached out to Panera. Krebs told the story on his blog.

Panera took the site down, and then issued a written statement announcing the company had fixed the problem within hours of being notified by Krebs.

The Panera PR machine reached out to media outlets, downplaying the severity, claiming only about 10,000 customers’ data had been exposed. Within minutes, like bees to honey, additional vulnerabilities within Panera were identified and published to social networks, resulting in what appears to be between 7 million and 37 million customers’ information being exposed.

Panera’s reaction?

The company took the site down. Eventually, the data configuration issues were rectified, and the Panera site was back in business. But not without more than a few lessons for all who handle customer information and their corporate partners. It’s clear that Panera could have handled the crisis management episode more adroitly and with better coordination between CIO, CISO and PR.

We can all learn from the episode.

Kreb’s tweet of 02 April 2018, gave us his opinion.

Communications Crisis Management Playbook Preparedness

Operational or HR crises are the norm, and communications departments often are asked to put the lipstick on the pig and make things better. Gini Dietrich, in her SpinSucks piece, “In the Trenches with Crisis Comms: 10 Things to Prepare,” details how these crisis events are opportunities for PR to step up and fix it.

The 10 identified areas to be prepared to act upon include:

  • Be Candid.
  • Be Consumer-Centered.
  • Be Consistent.
  • Be Contrite.
  • Be Compassionate.
  • Be Cooperative.
  • Be Correct.
  • Be Concise.
  • Stop Advertising.
  • Be Quick.

How many of these applied to the Panera data incident? What should companies do when they have a security incident involving customer data (notice I did not say “if”)?

We reached out to Dietrich, who is the CEO of Arment Dietrich, to get her advice for companies in similar positions.

“The challenge with a crisis is everyone also assumes it’s a PR crisis … and when it goes wrong, it’s PR that is blamed. On the contrary, PR is almost never what created the crisis, but also who is called in to fix it,” she said. “In the case of Panera, it’s clear the left and right arms didn’t know what the other was doing. PR didn’t have the information—or, in this case, data—to provide accurate information to its customers. Rarely is that the fault of PR, but the fault of culture and leadership. The only way to fix a situation like this is to have EVERYONE in the room, from InfoSec and lawyers to executives and communications. Only then can a consistent message be truthful and transparent.”

Questions Remain

We don’t know if the Panera IT/PR/Legal/HR teams practiced crisis management or if they had a playbook. Regardless, they were thrown in the deep end of the pool and found themselves flailing.

All companies, both big and small, can look at the Panera incident and conduct a bit of introspection. Could this sort of incident happen at my company? The answer, more often than not, is yes.

Perhaps, we collectively take on board the teaching moment provided by Panera and make sure that our company has a “crisis management playbook” in place. A playbook which is exercised and inculcated within the company, so that when the phone rings and Krebs tells you your data is showing, you say thank you and execute.

Featured eBook
The State of Security RSA Special Report

The State of Security RSA Special Report

The big trends shaping cybersecurity today. Security teams face enormous challenges. Not only from attackers who are always looking for new ways to get to their applications and data, but also the constant evolution of the very technologies security professionals must defend. This complimentary download is offered by Security Boulevard. Download Now ... Read More
Security Boulevard

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 53 posts and counting.See all posts by burgesschristopher

One thought on “Panera Bread: Do’s and Don’ts of Data Breach Crisis Management

Comments are closed.