Let’s step back together and revisit the recent Panera Bread exposure of data associated with millions of its customers.
The faulty and vulnerable Panera Bread data configurations were detected in August 2017. Panera apparently was very skeptical of the original security researcher, Dylan Houlihan, and responded to his notification with thanks. But, beyond that, the company did nothing.
Noted investigative reporter Brian Krebs, having a bit more public clout, confirmed with Houlihan the vulnerability to the data still existed some eight months later and reached out to Panera. Krebs told the story on his blog.
Panera took the site down, and then issued a written statement announcing the company had fixed the problem within hours of being notified by Krebs.
The Panera PR machine reached out to media outlets, downplaying the severity, claiming only about 10,000 customers’ data had been exposed. Within minutes, like bees to honey, additional vulnerabilities within Panera were identified and published to social networks, resulting in what appears to be between 7 million and 37 million customers’ information being exposed.
The company took the site down. Eventually, the data configuration issues were rectified, and the Panera site was back in business. But not without more than a few lessons for all who handle customer information and their corporate partners. It’s clear that Panera could have handled the crisis management episode more adroitly and with better coordination between CIO, CISO and PR.
We can all learn from the episode.
Kreb’s tweet of 02 April 2018, gave us his opinion.
As the disclosure shitshow that describes @panerabread response to their breach indicates, most companies respond to breach notifications like they would a stranger telling them they have a cold sore on their lip. If you get no love, please ping krebsonsecurity @ gmail dot com
— briankrebs (@briankrebs) April 3, 2018
Communications Crisis Management Playbook Preparedness
Operational or HR crises are the norm, and communications departments often are asked to put the lipstick on the pig and make things better. Gini Dietrich, in her SpinSucks piece, “In the Trenches with Crisis Comms: 10 Things to Prepare,” details how these crisis events are opportunities for PR to step up and fix it.
The 10 identified areas to be prepared to act upon include:
- Be Candid.
- Be Consumer-Centered.
- Be Consistent.
- Be Contrite.
- Be Compassionate.
- Be Cooperative.
- Be Correct.
- Be Concise.
- Stop Advertising.
- Be Quick.
How many of these applied to the Panera data incident? What should companies do when they have a security incident involving customer data (notice I did not say “if”)?
We reached out to Dietrich, who is the CEO of Arment Dietrich, to get her advice for companies in similar positions.
“The challenge with a crisis is everyone also assumes it’s a PR crisis … and when it goes wrong, it’s PR that is blamed. On the contrary, PR is almost never what created the crisis, but also who is called in to fix it,” she said. “In the case of Panera, it’s clear the left and right arms didn’t know what the other was doing. PR didn’t have the information—or, in this case, data—to provide accurate information to its customers. Rarely is that the fault of PR, but the fault of culture and leadership. The only way to fix a situation like this is to have EVERYONE in the room, from InfoSec and lawyers to executives and communications. Only then can a consistent message be truthful and transparent.”
We don’t know if the Panera IT/PR/Legal/HR teams practiced crisis management or if they had a playbook. Regardless, they were thrown in the deep end of the pool and found themselves flailing.
All companies, both big and small, can look at the Panera incident and conduct a bit of introspection. Could this sort of incident happen at my company? The answer, more often than not, is yes.
Perhaps, we collectively take on board the teaching moment provided by Panera and make sure that our company has a “crisis management playbook” in place. A playbook which is exercised and inculcated within the company, so that when the phone rings and Krebs tells you your data is showing, you say thank you and execute.