SecureMac, Inc.

The Checklist Podcast

SecureMac presents The Checklist. Each week, Nicholas Raba, Nicholas Ptacek, and Ken Ray hit security topics for your Mac and iOS devices. From getting an old iPhone, iPad, iPod, Mac, and other Apple gear ready to sell to the first steps to take to secure new hardware, each show contains a set of easy to follow steps meant to keep you safe from identity thieves, hackers, malware, and other digital downfalls. Check in each Thursday for a new Checklist!

Checklist 87: The Anatomy of a Data Breach, Part 2

Posted on May 7, 2018

Welcome to Episode 87. Last week, we took an in-depth look at data breaches: from how they happen to a few of the biggest ones, and of course, what you can do to protect yourself when a big company loses your data, we covered a lot of ground in that show. We’ve got further to go still, though!  This week we’re continuing with our look into data breaches by turning our attention to the business side of things. These breaches don’t happen randomly, and how a company responds to these problems and threats can make an enormous difference both in the effects on users and the business’s ability to defend against the bad guys.

With that in mind, here’s what’s on our checklist for today:

  • Panera teaches us how NOT to handle a data breach
  • What are companies doing to better protect against breaches?
  • What could businesses do better to keep our info safe?

While there’s no shortage of businesses we could look to for an example of how not to respond to word of a data breach, some recent fumbles at Panera give us both a timely and authentic example of “what not to do.” You might not think that purchasing a sandwich (or a cup of soup) could be an act that potentially exposes you to identity theft in the future, but as it turns out, a “mean sandwich” could be something other than a good thing.

Panera teaches us how NOT to handle a data breach

The security holes that lead to data breaches can come to light in several ways. Sometimes, hackers set their sights on a corporation’s computer systems hoping to raid them for personal data they can sell to others or use for their own nefarious purposes. As they probe the company systems, they discover a vulnerability or a leak that allows them to get inside.

At other times, the good guys get to them first: a security researcher might stumble upon a vulnerability accidentally or while looking around out of curiosity. These researchers then alert the company to the idea that the business should close the loophole. This latter scenario tends to happen most often because the researcher in question has an account on the affected service or website. When they see a situation they recognize could lead to the leaking of their personal information, they want to take action as soon as possible in the hopes of seeing it fixed.

Whether good intentions are in play or not, companies across virtually every industry are notoriously slow to respond to data breaches; Equifax’s mediocre reaction to their massive data breach is one good example of that. Some companies go one step further, though, and seem to drop the ball at every possible opportunity. If we were treating this like a real contest, there’s no question Panera would take home this year’s blue ribbon prize for Worst Response to a Data Breach.

Our story starts more than half a year ago, back in August of 2017. Then, a researcher named Dylan Houlihan reached out to Panera with news about customer data he discovered leaking from the food chain’s website. That information included customer names, email addresses, physical home addresses, birthdays, and even the last four digits of a customer’s saved credit card information. Even worse, Panera was using a sequential series of numbers to differentiate customer records, meaning it would be an insignificant process for bad guys to create a program that could scrape all the customer data off the site. Based on Houlihan’s research, nearly 7 million of these records were exposed and available through exploiting Panera’s site.

The company initially dismissed Houlihan’s findings, seeming to assume he was attempting to pull some scam on them, to either demand payment for discovery or to sell some form of protection. After an explanation from Houlihan, the representative changed course and received his report on the exposure. The company claimed it was “working on a resolution.” After that, Houlihan received nothing but radio silence.

Now eight months later, Houlihan became fed up with the fact that Panera’s site was still leaking information and nothing had been done to fix it. His next step: contacting prominent security researcher Brian Krebs of KrebsOnSecurity, and sharing what he knew about the exposure. Houlihan hoped that Krebs’ influence would be enough of a wake-up call to Panera — and in fact, within hours of Krebs’ contacting the company, the issue was “fixed” within hours. Only, in fact, it hadn’t been fixed at all.

Instead, Panera’s update only made it so that a user would have to use a valid login account to sign in — and then you could continue to access the leaky API’s data. This is only a smidgen better than leaving the records open and unprotected for the entire world. In the meantime, Krebs continued digging and discovered other portions of the site, such as the catering portal, were leaking data too. A Panera representative on Fox claimed that only 10,000 customer records had been exposed — but in fact, the total of all the exposed records numbered more than 37 million. One more (perhaps not-so-)fun fact: the person Houlihan initially corresponded with last year previously worked in security for Equifax.

The problem has since received an actual fix. However, Panera’s response — from ignoring the issue initially to implementing a poorly designed fix and even to resorting to PR spin to downplay the potential impact of such a breach — is a gold standard example of how not to react. A proactive response months ago could have closed the loophole, avoided a flurry of media activity, and dodged a public relations hit.

What are companies doing to better protect against breaches?

When you take a broad look at the way companies have responded to data breaches, it is easy to think they’re all equally horrible in their efforts to safeguard our data. In reality, though, that’s only one side of the story. Think about it: the only time this type of story hits the news is after a data breach occurs. You don’t often hear about all the things many of the world’s companies, both large and small, already do to protect both their own systems and your data, too. That’s why we think it’s important to pull back the curtain and take a closer look at some of the things companies are doing correctly when it comes to stopping breaches before they occur.

In our previous discussion, we spent some time talking about how often companies bury their heads in the sand when someone approaches them to discuss the fact that they have a data problem. Not everyone does that, though — in fact, some take the opposite approach and will hit the big red “password reset” button for every single one of their users as soon as they get even the hint of a potential data breach. Provided these businesses also patch their systems to close the vector used by the attackers to get in, this is the ideal way to make sure users take the threat more seriously as well. Not only does the company protect you, but it makes the threat more apparent to users. By requiring a password reset, you’ve got to think about the need to safeguard yourself.

Now, if there’s one industry that generally has your back when it comes to the security of your credit card information, it’s your bank. Both banks and credit card providers understand that data breaches can be subtle intrusions, and they may not always be able to detect them right away. Because of the tendency companies have to respond to breaches in a less than timely manner, these institutions have taken steps to ensure that they have automated systems in place to help stop threats before they become a bigger problem.

For example, have you ever received a call from your bank or card issuer to ask you to verify whether it was indeed you who made a specific purchase? That’s because there are programs at work in the background that identify abnormal credit card usage or purchases and throw up a red flag. That puts the issue in front of a real human, who can then reach out to make sure everything is all clear with you. These systems grow more advanced all the time and are highly useful for protecting customers in an age where many other businesses may leak their data without warning.

Financial institutions often go one step further, though, with staff whose job is focused explicitly on trawling the dark web, searching for databases of financial info for sale. If they find such a database, they’ll make an effort to obtain the data. They can then cross-check the stolen number with the cards they’ve issued to their customers; whenever they find a match, they can choose to cancel your card as a pre-emptive measure. If you’ve ever suddenly received a new card in the mail with a note about detection of potential fraud, this could be why.

It’s not purely altruistic, of course: credit card issuers are liable in the event of fraud if you take timely steps to report the activity to the company. Therefore, it’s clearly in their best interest to stay on top of data breaches and to take these steps. Even so, it works out to be a win-win, both for the businesses and cardholders like you.

E-commerce companies, the businesses that power almost every type of purchase and transaction on the web, also take some pretty significant steps to protect you. While you might shop on a branded storefront, behind the scenes, it’s e-commerce software and logistics efforts that facilitate the sale, payment, and dispatch of the product. The reason why is simple: the last thing you want is to have every site under the sun storing your CC info. If someone’s business site is hacked, it could put all that data at risk. By relying on a stronger third-party, none of that info needs to be stored on the business’s servers. Shops pay a cut of the sale in exchange for secure shopping cart software, credit card processing, and more.

These companies operate under strict rules because they handle cardholder data. The most reputable e-commerce businesses adhere to the Payment Card Industry Data Security Standard — also known as being “PCI Compliant.” In fact, most e-commerce businesses don’t store cardholder data either; they only use it to process individual transactions at the time of sale. For recurring services though, like a subscription, it’s a bit different.

When you need to re-bill a customer regularly, or when you want to offer customers the ability to save their cards, a company will often rely on a third-party for a service known as a credit card vault. There’s also a security process known as “tokenization” at play here, a process which helps to encrypt and protect the card data. The vault holds onto the credit card data and issues a valid “token” which the e-commerce company can then tie to a user account for use in recurrent billing.

These are just a few of the things going on behind the scenes to keep us safe — though there are many more. However, we could always do better…

What could businesses do better to keep our info safe?

So, what could businesses change about the way they approach security, or what could they add to their current efforts, to ensure that they’re truly doing all they can? The first and most important thing is also perhaps one of the most obvious: businesses must unequivocally make sure they’re able to store your personal information in a truly secure format. With that in place, even an actual hack of their systems will only net the attacker an encrypted database. Without another way, they’ll be left only the option of brute force — and with the right encryption, that can take years to break.

More than that, though, businesses should endeavor to collect less information from users. If companies could minimize the amount of information flowing onto their servers, they would have far less to worry about in the face of today’s growing security threats. Less data also means security teams have an easier time formulating and deploying plans to protect that info should someone get past the first lines of defense.

Whether you think corporations are people or not, they deserve the same type of advice we give to the people who listen to our show: up-to-date systems are vital for protection! Businesses could be much more proactive than they are today when it comes to staying up on the latest updates. Remember how Boeing recently got hit by the WannaCry ransomware, which spreads via unpatched vulnerabilities? Timely updates are essential even for systems that seem unimportant to the daily functions of the business. A single unpatched system can have big-time consequences when it comes to letting attackers gain a foothold. Consider the recent story of a casino in Las Vegas that had their internal list of “high roller” gamblers stolen because hackers tapped into the network through an insecure aquarium thermometer!

In that vein, good internal network security practices are also essential. There are automated systems that can be used to detect abnormal network traffic, which can be indicative of malware or hackers exfiltrating data from a system. Installing these systems can provide another critical defense mechanism.

How about all the times we’ve heard about user info being left in plaintext for someone to find? No company should ever store copies of sensitive data, such as usernames and passwords, “in the clear.” Even if that info is only available on the corporate network, that doesn’t mean it’s safe from a potential intruder. Such files might streamline specific processes within the business, but it’s also opening the company to all kinds of potential risks.

Lastly, our final suggestion concerns something that is simple regarding set-up, but admittedly harder to maintain day-to-day: companies should set up a reliable point of contact for researchers looking to submit and report on vulnerabilities in their sites or networks. That can be as simple as an email address or contact form on the business’s webpage clearly dedicated to security. Whatever the setup, it should be easy for researchers to locate, and — more importantly — it should be an account that a human regularly checks.

We don’t mean every business needs to implement their own full-blown bug bounty system. For smaller companies, it may simply not be affordable for them to do so.  What we do mean, though, is that there should be a reliable way for someone to contact the company when they discover a hole that must be reported. This means that there is someone who can manage responsibility for such an effort. Ideally, that point of contact is the same person who handles the company’s computer and network security efforts in the first place.

There will be false positives and spam, and there will be the charlatans and hackers who claim to be able to fix your systems if you’ll only send them some Bitcoin or Ether, but it’s worth wading through the junk. The one time that you receive a report and it turns out to help you solve an issue before it turns into a real problem makes all the other false reports worth the time and effort. That’s the kind of attitude needed in enterprise-level security today.

That wraps up today’s topic — we hope that, as we go forward in time, we start seeing more businesses handle things “the right way,” rather than following the example recently set by Panera. Data breaches aren’t going away, after all, so vigilance must be the name of the game.

If you’d like a refresher on the topics we covered in the first part of this two-part episode, you can check out both the audio and the show notes for Episode 86 — and every other episode of The Checklist. Questions or comments? 

Join our mailing list for the latest security news and deals